sibujs 1.2.0 → 1.4.0

package/dist/plugins.d.cts

@@ -1,4 +1,4 @@
-import { T as TrustedHTML } from './ssr-BA6sxxUd.cjs';
+import { T as TrustedHTML } from './ssr-Do_SiVoL.cjs';
 export { P as PluginContext, S as SibuPlugin, c as createPlugin, i as inject, p as plugin, r as resetPlugins, t as triggerPluginError, a as triggerPluginMount, b as triggerPluginUnmount } from './plugin-Bek4RhJY.cjs';
 export { M as Migration, S as SemVer, V as VERSION, b as bundlerMetadata, c as checkCompatibility, a as compareSemVer, d as createBootSequence, e as createBundle, f as createMigrationRunner, g as createModuleRegistry, h as createSSRCache, i as createTestHarness, j as deferNonCritical, k as env, l as healthCheck, m as lazyModule, p as packageInfo, n as parseSemVer, o as preloadCritical, q as prerenderRoutes, s as satisfies } from './startup-0Qv6aosO.cjs';
 
@@ -74,7 +74,19 @@ interface AsyncRoute extends RouteBase {
 interface RedirectRoute extends RouteBase {
     readonly redirect: string | ((to: RouteContext) => string);
 }
-type RouteDef = ComponentRoute | AsyncRoute | RedirectRoute;
+/**
+ * A route whose component is loaded on first visit via a dynamic
+ * `import()`. This is the ergonomic shorthand for
+ * `{ component: lazy(() => import("./Page")) }`.
+ *
+ * The loader must return a module with a `default` Component export.
+ */
+interface LazyRoute extends RouteBase {
+    readonly lazy: () => Promise<{
+        default: Component;
+    }>;
+}
+type RouteDef = ComponentRoute | AsyncRoute | RedirectRoute | LazyRoute;
 interface RouterOptions {
     readonly mode?: "history" | "hash";
     readonly base?: string;
@@ -381,6 +393,11 @@ declare function renderRouteToString(url: string, routes: SSRRouteDef[], _option
 /**
  * Generate the full HTML document for a route including serialized state.
  * Uses renderToDocument pattern with embedded route state.
+ *
+ * Security: meta/link attribute names are validated against
+ * `SAFE_ATTR_NAME`, URL attributes are routed through `sanitizeUrl`,
+ * `title` is HTML-escaped, and the embedded state script escapes
+ * `U+2028` / `U+2029` plus the usual `<`/`>`/`&` trio.
  */
 declare function renderRouteToDocument(url: string, routes: SSRRouteDef[], options?: {
     title?: string;
@@ -388,12 +405,17 @@ declare function renderRouteToDocument(url: string, routes: SSRRouteDef[], optio
     links?: Record<string, string>[];
     scripts?: string[];
     headExtra?: TrustedHTML;
+    nonce?: string;
 }): string;
 /**
  * Serialize route state for embedding in HTML.
  * Uses a specific key (__SIBU_ROUTE_STATE__) distinct from the generic SSR data key.
+ *
+ * Security: escapes `<`/`>`/`&` and the ES line-terminator pairs
+ * `U+2028` / `U+2029`. Supports an optional `nonce` attribute for
+ * strict-CSP compatibility.
  */
-declare function serializeRouteState(state: SSRRouteState): string;
+declare function serializeRouteState(state: SSRRouteState, nonce?: string): string;
 /**
  * Deserialize route state on the client from server-embedded data.
  * Reads from window.__SIBU_ROUTE_STATE__.
@@ -430,7 +452,8 @@ declare function createSSRRouter(routes: SSRRouteDef[]): {
         links?: Record<string, string>[];
         scripts?: string[];
         headExtra?: TrustedHTML;
+        nonce?: string;
     }) => string;
 };
 
-export { type AsyncComponent, type AsyncRoute, type Component, type ComponentRoute, type Guard, type GuardResult, KeepAliveRoute, type LazyComponent, type NavigationFailure, type NavigationGuard, type NavigationNext, type NavigationResult, type NavigationTarget, Outlet, type Params, type RedirectRoute, Route, type RouteBase, type RouteContext, type RouteDef, type RouteMeta, type RouteTransitionOptions, RouterLink, type RouterOptions, type RouterPlugin, type SSRRouteDef, type SSRRouteState, type ScrollBehavior, type ScrollPosition, SibuRouter, Suspense, Trans, addRoute, afterEach, back, beforeEach, beforeResolve, buildURL, createMemoryRouter, createRouter, createSSRRouter, deserializeRouteState, destroyRouter, forward, getAvailableLocales, getLocale, getRouteInfo, getRouteTransition, go, hasRoute, hasTranslation, hydrateRouter, lazy, navigate, preloadRoute, push, registerTranslations, removeRoute, renderRouteToDocument, renderRouteToString, replace, resolveServerRoute, route, router, routerPlugin, routerState, serializeRouteState, setLocale, setRouteTransition, setRoutes, t };
+export { type AsyncComponent, type AsyncRoute, type Component, type ComponentRoute, type Guard, type GuardResult, KeepAliveRoute, type LazyComponent, type LazyRoute, type NavigationFailure, type NavigationGuard, type NavigationNext, type NavigationResult, type NavigationTarget, Outlet, type Params, type RedirectRoute, Route, type RouteBase, type RouteContext, type RouteDef, type RouteMeta, type RouteTransitionOptions, RouterLink, type RouterOptions, type RouterPlugin, type SSRRouteDef, type SSRRouteState, type ScrollBehavior, type ScrollPosition, SibuRouter, Suspense, Trans, addRoute, afterEach, back, beforeEach, beforeResolve, buildURL, createMemoryRouter, createRouter, createSSRRouter, deserializeRouteState, destroyRouter, forward, getAvailableLocales, getLocale, getRouteInfo, getRouteTransition, go, hasRoute, hasTranslation, hydrateRouter, lazy, navigate, preloadRoute, push, registerTranslations, removeRoute, renderRouteToDocument, renderRouteToString, replace, resolveServerRoute, route, router, routerPlugin, routerState, serializeRouteState, setLocale, setRouteTransition, setRoutes, t };

package/dist/plugins.d.ts

@@ -1,4 +1,4 @@
-import { T as TrustedHTML } from './ssr-BA6sxxUd.js';
+import { T as TrustedHTML } from './ssr-Do_SiVoL.js';
 export { P as PluginContext, S as SibuPlugin, c as createPlugin, i as inject, p as plugin, r as resetPlugins, t as triggerPluginError, a as triggerPluginMount, b as triggerPluginUnmount } from './plugin-Bek4RhJY.js';
 export { M as Migration, S as SemVer, V as VERSION, b as bundlerMetadata, c as checkCompatibility, a as compareSemVer, d as createBootSequence, e as createBundle, f as createMigrationRunner, g as createModuleRegistry, h as createSSRCache, i as createTestHarness, j as deferNonCritical, k as env, l as healthCheck, m as lazyModule, p as packageInfo, n as parseSemVer, o as preloadCritical, q as prerenderRoutes, s as satisfies } from './startup-0Qv6aosO.js';
 
@@ -74,7 +74,19 @@ interface AsyncRoute extends RouteBase {
 interface RedirectRoute extends RouteBase {
     readonly redirect: string | ((to: RouteContext) => string);
 }
-type RouteDef = ComponentRoute | AsyncRoute | RedirectRoute;
+/**
+ * A route whose component is loaded on first visit via a dynamic
+ * `import()`. This is the ergonomic shorthand for
+ * `{ component: lazy(() => import("./Page")) }`.
+ *
+ * The loader must return a module with a `default` Component export.
+ */
+interface LazyRoute extends RouteBase {
+    readonly lazy: () => Promise<{
+        default: Component;
+    }>;
+}
+type RouteDef = ComponentRoute | AsyncRoute | RedirectRoute | LazyRoute;
 interface RouterOptions {
     readonly mode?: "history" | "hash";
     readonly base?: string;
@@ -381,6 +393,11 @@ declare function renderRouteToString(url: string, routes: SSRRouteDef[], _option
 /**
  * Generate the full HTML document for a route including serialized state.
  * Uses renderToDocument pattern with embedded route state.
+ *
+ * Security: meta/link attribute names are validated against
+ * `SAFE_ATTR_NAME`, URL attributes are routed through `sanitizeUrl`,
+ * `title` is HTML-escaped, and the embedded state script escapes
+ * `U+2028` / `U+2029` plus the usual `<`/`>`/`&` trio.
  */
 declare function renderRouteToDocument(url: string, routes: SSRRouteDef[], options?: {
     title?: string;
@@ -388,12 +405,17 @@ declare function renderRouteToDocument(url: string, routes: SSRRouteDef[], optio
     links?: Record<string, string>[];
     scripts?: string[];
     headExtra?: TrustedHTML;
+    nonce?: string;
 }): string;
 /**
  * Serialize route state for embedding in HTML.
  * Uses a specific key (__SIBU_ROUTE_STATE__) distinct from the generic SSR data key.
+ *
+ * Security: escapes `<`/`>`/`&` and the ES line-terminator pairs
+ * `U+2028` / `U+2029`. Supports an optional `nonce` attribute for
+ * strict-CSP compatibility.
  */
-declare function serializeRouteState(state: SSRRouteState): string;
+declare function serializeRouteState(state: SSRRouteState, nonce?: string): string;
 /**
  * Deserialize route state on the client from server-embedded data.
  * Reads from window.__SIBU_ROUTE_STATE__.
@@ -430,7 +452,8 @@ declare function createSSRRouter(routes: SSRRouteDef[]): {
         links?: Record<string, string>[];
         scripts?: string[];
         headExtra?: TrustedHTML;
+        nonce?: string;
     }) => string;
 };
 
-export { type AsyncComponent, type AsyncRoute, type Component, type ComponentRoute, type Guard, type GuardResult, KeepAliveRoute, type LazyComponent, type NavigationFailure, type NavigationGuard, type NavigationNext, type NavigationResult, type NavigationTarget, Outlet, type Params, type RedirectRoute, Route, type RouteBase, type RouteContext, type RouteDef, type RouteMeta, type RouteTransitionOptions, RouterLink, type RouterOptions, type RouterPlugin, type SSRRouteDef, type SSRRouteState, type ScrollBehavior, type ScrollPosition, SibuRouter, Suspense, Trans, addRoute, afterEach, back, beforeEach, beforeResolve, buildURL, createMemoryRouter, createRouter, createSSRRouter, deserializeRouteState, destroyRouter, forward, getAvailableLocales, getLocale, getRouteInfo, getRouteTransition, go, hasRoute, hasTranslation, hydrateRouter, lazy, navigate, preloadRoute, push, registerTranslations, removeRoute, renderRouteToDocument, renderRouteToString, replace, resolveServerRoute, route, router, routerPlugin, routerState, serializeRouteState, setLocale, setRouteTransition, setRoutes, t };
+export { type AsyncComponent, type AsyncRoute, type Component, type ComponentRoute, type Guard, type GuardResult, KeepAliveRoute, type LazyComponent, type LazyRoute, type NavigationFailure, type NavigationGuard, type NavigationNext, type NavigationResult, type NavigationTarget, Outlet, type Params, type RedirectRoute, Route, type RouteBase, type RouteContext, type RouteDef, type RouteMeta, type RouteTransitionOptions, RouterLink, type RouterOptions, type RouterPlugin, type SSRRouteDef, type SSRRouteState, type ScrollBehavior, type ScrollPosition, SibuRouter, Suspense, Trans, addRoute, afterEach, back, beforeEach, beforeResolve, buildURL, createMemoryRouter, createRouter, createSSRRouter, deserializeRouteState, destroyRouter, forward, getAvailableLocales, getLocale, getRouteInfo, getRouteTransition, go, hasRoute, hasTranslation, hydrateRouter, lazy, navigate, preloadRoute, push, registerTranslations, removeRoute, renderRouteToDocument, renderRouteToString, replace, resolveServerRoute, route, router, routerPlugin, routerState, serializeRouteState, setLocale, setRouteTransition, setRoutes, t };

package/dist/plugins.js

@@ -18,10 +18,11 @@ import {
   preloadCritical,
   prerenderRoutes,
   satisfies
-} from "./chunk-RQGQSLQK.js";
+} from "./chunk-M4NLBH4I.js";
 import {
+  escapeScriptJson,
   renderToString
-} from "./chunk-WUHJISPP.js";
+} from "./chunk-3X2YG6YM.js";
 import {
   createPlugin,
   inject,
@@ -33,22 +34,26 @@ import {
 } from "./chunk-K5ZUMYVS.js";
 import {
   span
-} from "./chunk-GCOK2LC3.js";
+} from "./chunk-32DY64NT.js";
+import "./chunk-F3FA4F32.js";
 import {
   dispose,
   registerDisposer
-} from "./chunk-B7SWRFUT.js";
-import "./chunk-23VV7YD3.js";
+} from "./chunk-PTQJDMRT.js";
+import {
+  sanitizeUrl
+} from "./chunk-CMBFNA7L.js";
 import {
   effect
-} from "./chunk-6SA3QQES.js";
-import "./chunk-CHJ27IGK.js";
+} from "./chunk-CHF5OHIA.js";
+import "./chunk-EUZND3CB.js";
+import {
+  signal
+} from "./chunk-WZSPOOER.js";
 import {
-  signal,
   track
-} from "./chunk-V2XTI523.js";
-import "./chunk-UNXCEF6S.js";
-import "./chunk-MLKGABMK.js";
+} from "./chunk-ZD6OAMTH.js";
+import "./chunk-5X6PP2UK.js";
 
 // src/plugins/i18n.ts
 var [currentLocale, setLocaleInternal] = signal("en");
@@ -81,6 +86,10 @@ function getAvailableLocales() {
 }
 
 // src/plugins/router.ts
+function isSafeNavigationTarget(path) {
+  if (path === "") return true;
+  return sanitizeUrl(path) !== "";
+}
 var LRUCache = class {
   constructor(maxSize = 100) {
     this.cache = /* @__PURE__ */ new Map();
@@ -566,6 +575,11 @@ var _SibuRouter = class _SibuRouter {
     try {
       await this.navigator.navigate(async (signal2) => {
         const targetPath = this.resolvePath(to);
+        if (!isSafeNavigationTarget(targetPath)) {
+          const from2 = this.currentRouteGetter();
+          const toContext2 = this.createRouteContext(targetPath);
+          throw new NavigationFailureError("aborted", from2, toContext2);
+        }
         const from = this.currentRouteGetter();
         const toContext = this.createRouteContext(targetPath);
         if (this.isSameRoute(from, toContext)) {
@@ -595,6 +609,9 @@ var _SibuRouter = class _SibuRouter {
     const beforeEachResult = await this.guards.runBeforeEach(to, from, signal2);
     if (beforeEachResult !== true) {
       if (typeof beforeEachResult === "string") {
+        if (!isSafeNavigationTarget(beforeEachResult)) {
+          throw new NavigationFailureError("aborted", from, to);
+        }
         return this.performNavigation(this.createRouteContext(beforeEachResult), from, options, signal2, depth + 1);
       }
       throw new NavigationFailureError("aborted", from, to);
@@ -610,6 +627,9 @@ var _SibuRouter = class _SibuRouter {
             const result = await guard(to, from);
             if (result !== true) {
               if (typeof result === "string") {
+                if (!isSafeNavigationTarget(result)) {
+                  throw new NavigationFailureError("aborted", from, to);
+                }
                 return this.performNavigation(this.createRouteContext(result), from, options, signal2, depth + 1);
               }
               throw new NavigationFailureError("aborted", from, to);
@@ -624,12 +644,18 @@ var _SibuRouter = class _SibuRouter {
             `[SibuJS Router] Redirect to absolute URL "${redirectPath}" detected. Use relative paths for safer redirects.`
           );
         }
+        if (typeof redirectPath === "string" && !isSafeNavigationTarget(redirectPath)) {
+          throw new NavigationFailureError("aborted", from, to);
+        }
         return this.performNavigation(this.createRouteContext(redirectPath), from, options, signal2, depth + 1);
       }
     }
     const beforeResolveResult = await this.guards.runBeforeResolve(to, from, signal2);
     if (beforeResolveResult !== true) {
       if (typeof beforeResolveResult === "string") {
+        if (!isSafeNavigationTarget(beforeResolveResult)) {
+          throw new NavigationFailureError("aborted", from, to);
+        }
         return this.performNavigation(this.createRouteContext(beforeResolveResult), from, options, signal2, depth + 1);
       }
       throw new NavigationFailureError("aborted", from, to);
@@ -789,13 +815,31 @@ var NavigationFailureError = class extends Error {
   }
 };
 var globalRouter = null;
+function normalizeRoutes(routes) {
+  return routes.map((route2) => {
+    const normalizedChildren = route2.children && route2.children.length > 0 ? normalizeRoutes(route2.children) : route2.children;
+    if ("lazy" in route2 && typeof route2.lazy === "function") {
+      const { lazy: importFn, ...rest } = route2;
+      const asyncRoute = {
+        ...rest,
+        component: lazy(importFn),
+        children: normalizedChildren
+      };
+      return asyncRoute;
+    }
+    if (normalizedChildren !== route2.children) {
+      return { ...route2, children: normalizedChildren };
+    }
+    return route2;
+  });
+}
 function createRouter(routesOrOptions, options = {}) {
   if (globalRouter) {
     globalRouter.destroy();
   }
   let routes;
   if (Array.isArray(routesOrOptions)) {
-    routes = routesOrOptions;
+    routes = normalizeRoutes(routesOrOptions);
   } else {
     options = routesOrOptions;
     routes = [];
@@ -805,7 +849,7 @@ function createRouter(routesOrOptions, options = {}) {
 }
 function setRoutes(routes) {
   if (!globalRouter) throw new Error("Router not initialized. Call createRouter() first.");
-  globalRouter.updateRoutes(routes);
+  globalRouter.updateRoutes(normalizeRoutes(routes));
 }
 function route() {
   if (!globalRouter) throw new Error("Router not initialized. Call createRouter() first.");
@@ -1385,6 +1429,20 @@ function createMemoryRouter(routes, _initialPath = "/") {
 }
 
 // src/plugins/routerSSR.ts
+var FORBIDDEN_KEYS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
+function isForbiddenKey(key) {
+  return FORBIDDEN_KEYS.has(key);
+}
+function safeDecode(raw) {
+  try {
+    return decodeURIComponent(raw);
+  } catch {
+    return raw;
+  }
+}
+function nullObject() {
+  return /* @__PURE__ */ Object.create(null);
+}
 function parseURL(url) {
   let remaining = url;
   let hash = "";
@@ -1400,19 +1458,23 @@ function parseURL(url) {
     remaining = remaining.slice(0, queryIndex);
   }
   const path = remaining || "/";
-  const query = {};
+  const query = nullObject();
   if (queryString) {
     const pairs = queryString.split("&");
     for (const pair of pairs) {
       if (!pair) continue;
       const eqIndex = pair.indexOf("=");
+      let key;
+      let value;
       if (eqIndex === -1) {
-        query[decodeURIComponent(pair)] = "";
+        key = safeDecode(pair);
+        value = "";
       } else {
-        const key = decodeURIComponent(pair.slice(0, eqIndex));
-        const value = decodeURIComponent(pair.slice(eqIndex + 1));
-        query[key] = value;
+        key = safeDecode(pair.slice(0, eqIndex));
+        value = safeDecode(pair.slice(eqIndex + 1));
       }
+      if (isForbiddenKey(key)) continue;
+      query[key] = value;
     }
   }
   return { path, query, hash };
@@ -1470,10 +1532,12 @@ function matchRoute(path, routes, parentPath = "", parentChain = []) {
     const compiled = compilePattern(fullPath);
     const match = path.match(compiled.regex);
     if (match) {
-      const params = {};
+      const params = nullObject();
       for (let i = 0; i < compiled.keys.length; i++) {
+        const key = compiled.keys[i];
+        if (isForbiddenKey(key)) continue;
         if (match[i + 1] !== void 0) {
-          params[compiled.keys[i]] = decodeURIComponent(match[i + 1]);
+          params[key] = safeDecode(match[i + 1]);
         }
       }
       return {
@@ -1508,7 +1572,7 @@ function resolveServerRouteInternal(url, routes, depth) {
     return {
       route: {
         path: normalizedPath,
-        params: {},
+        params: nullObject(),
         query,
         hash,
         meta: {}
@@ -1568,20 +1632,26 @@ function renderRouteToString(url, routes, _options) {
 function renderRouteToDocument(url, routes, options) {
   const { html, state } = renderRouteToString(url, routes, options);
   const opts = options || {};
-  const metaTags = (opts.meta || []).map(
-    (attrs) => `<meta ${Object.entries(attrs).map(([k, v]) => `${k}="${escapeAttr(v)}"`).join(" ")} />`
-  ).join("\n    ");
-  const linkTags = (opts.links || []).map(
-    (attrs) => `<link ${Object.entries(attrs).map(([k, v]) => `${k}="${escapeAttr(v)}"`).join(" ")} />`
-  ).join("\n    ");
-  const scriptTags = (opts.scripts || []).map((src) => `<script src="${escapeAttr(src)}"></script>`).join("\n    ");
-  const stateScript = serializeRouteState(state);
+  const metaTags = (opts.meta || []).map((attrs) => {
+    const pairs = buildSafeAttrString(attrs);
+    return pairs ? `<meta ${pairs} />` : "";
+  }).filter(Boolean).join("\n    ");
+  const linkTags = (opts.links || []).map((attrs) => {
+    const pairs = buildSafeAttrString(attrs);
+    return pairs ? `<link ${pairs} />` : "";
+  }).filter(Boolean).join("\n    ");
+  const scriptTags = (opts.scripts || []).map((src) => {
+    const safe = sanitizeUrlLocal(String(src));
+    if (!safe) return "";
+    return `<script src="${escapeAttrLocal(safe)}"></script>`;
+  }).filter(Boolean).join("\n    ");
+  const stateScript = serializeRouteState(state, opts.nonce);
   return `<!DOCTYPE html>
 <html>
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    ${opts.title ? `<title>${escapeHtml(opts.title)}</title>` : ""}
+    ${opts.title ? `<title>${escapeHtmlLocal(opts.title)}</title>` : ""}
     ${metaTags}
     ${linkTags}
     ${opts.headExtra || ""}
@@ -1593,9 +1663,10 @@ function renderRouteToDocument(url, routes, options) {
   </body>
 </html>`;
 }
-function serializeRouteState(state) {
-  const json = JSON.stringify(state).replace(/</g, "\\u003c").replace(/>/g, "\\u003e").replace(/&/g, "\\u0026");
-  return `<script>window.${SSR_ROUTE_STATE_KEY}=${json}</script>`;
+function serializeRouteState(state, nonce) {
+  const json = escapeScriptJson(JSON.stringify(state));
+  const nonceAttr = nonce ? ` nonce="${escapeAttrLocal(nonce)}"` : "";
+  return `<script${nonceAttr}>window.${SSR_ROUTE_STATE_KEY}=${json}</script>`;
 }
 function deserializeRouteState() {
   if (typeof window === "undefined") return void 0;
@@ -1612,7 +1683,7 @@ function hydrateRouter(routes, options) {
   if (container && serverState.path) {
     const resolved = resolveServerRoute(serverState.path, routes);
     if (resolved.component) {
-      import("./ssr-3RXHP5ES.js").then(({ hydrate }) => {
+      import("./ssr-4PBXAOO3.js").then(({ hydrate }) => {
         if (resolved.component) {
           hydrate(resolved.component, container);
         }
@@ -1633,11 +1704,59 @@ function createSSRRouter(routes) {
     }
   };
 }
-function escapeHtml(str) {
+var SAFE_ATTR_NAME = /^[A-Za-z_:][-A-Za-z0-9_.:]*$/;
+function isSafeAttrName(name) {
+  return SAFE_ATTR_NAME.test(name);
+}
+function isEventHandlerAttr(name) {
+  if (name.length < 3) return false;
+  const lower = name.toLowerCase();
+  return lower[0] === "o" && lower[1] === "n" && lower.charCodeAt(2) >= 97 && lower.charCodeAt(2) <= 122;
+}
+var URL_ATTRS = /* @__PURE__ */ new Set([
+  "href",
+  "src",
+  "action",
+  "formaction",
+  "cite",
+  "poster",
+  "background",
+  "srcset",
+  "ping",
+  "manifest",
+  "data",
+  "xlink:href"
+]);
+function sanitizeUrlLocal(url) {
+  const trimmed = url.replace(/[\x00-\x20\x7f-\x9f]+/g, "").trim();
+  if (!trimmed) return "";
+  const lower = trimmed.toLowerCase();
+  if (lower.startsWith("javascript:") || lower.startsWith("data:") || lower.startsWith("vbscript:") || lower.startsWith("blob:")) {
+    return "";
+  }
+  return trimmed;
+}
+function buildSafeAttrString(attrs) {
+  const out = [];
+  for (const rawKey of Object.keys(attrs)) {
+    if (!Object.hasOwn(attrs, rawKey)) continue;
+    if (!isSafeAttrName(rawKey)) continue;
+    if (isEventHandlerAttr(rawKey)) continue;
+    const lowerKey = rawKey.toLowerCase();
+    let value = String(attrs[rawKey]);
+    if (URL_ATTRS.has(lowerKey)) {
+      value = sanitizeUrlLocal(value);
+      if (!value) continue;
+    }
+    out.push(`${rawKey}="${escapeAttrLocal(value)}"`);
+  }
+  return out.join(" ");
+}
+function escapeHtmlLocal(str) {
   return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
 }
-function escapeAttr(str) {
-  return str.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+function escapeAttrLocal(str) {
+  return str.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/'/g, "&#39;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
 }
 export {
   KeepAliveRoute,

package/dist/ssr-4PBXAOO3.js

@@ -0,0 +1,40 @@
+import {
+  collectStream,
+  deserializeState,
+  escapeScriptJson,
+  hydrate,
+  hydrateIslands,
+  hydrateProgressively,
+  island,
+  renderToDocument,
+  renderToReadableStream,
+  renderToStream,
+  renderToString,
+  renderToSuspenseStream,
+  resetSSRState,
+  serializeState,
+  ssrSuspense,
+  suspenseSwapScript,
+  trustHTML
+} from "./chunk-3X2YG6YM.js";
+import "./chunk-CMBFNA7L.js";
+import "./chunk-5X6PP2UK.js";
+export {
+  collectStream,
+  deserializeState,
+  escapeScriptJson,
+  hydrate,
+  hydrateIslands,
+  hydrateProgressively,
+  island,
+  renderToDocument,
+  renderToReadableStream,
+  renderToStream,
+  renderToString,
+  renderToSuspenseStream,
+  resetSSRState,
+  serializeState,
+  ssrSuspense,
+  suspenseSwapScript,
+  trustHTML
+};