sibujs 3.0.0 → 3.2.0

package/dist/plugins.cjs

@@ -43,8 +43,16 @@ var init_dev = __esm({
 });
 
 // src/utils/sanitize.ts
+function stripControlChars(value) {
+  return value.replace(/[\x00-\x20\x7f-\x9f]+/g, "");
+}
+function isEventHandlerAttr(name) {
+  if (name.length < 3) return false;
+  const lower = name.toLowerCase();
+  return lower[0] === "o" && lower[1] === "n" && lower.charCodeAt(2) >= 97 && lower.charCodeAt(2) <= 122;
+}
 function sanitizeUrl(url) {
-  const trimmed = url.replace(/[\x00-\x20\x7f-\x9f]+/g, "").trim();
+  const trimmed = stripControlChars(url).trim();
   if (!trimmed) return "";
   const lower = trimmed.toLowerCase();
   let schemeEnd = -1;
@@ -93,7 +101,7 @@ function sanitizeCSSValue(value) {
   return value;
 }
 function isUrlAttribute(attr) {
-  return URL_ATTRIBUTES.has(attr);
+  return URL_ATTRIBUTES.has(attr.toLowerCase());
 }
 var SAFE_URL_PROTOCOLS, URL_ATTRIBUTES;
 var init_sanitize = __esm({
@@ -135,11 +143,15 @@ var init_ssr_context = __esm({
     als = null;
     try {
       if (typeof process !== "undefined" && process.versions && process.versions.node) {
-        const req = Function("return typeof require==='function'?require:null")();
-        if (req) {
-          const mod = req("node:async_hooks");
-          als = new mod.AsyncLocalStorage();
+        let mod = null;
+        const getBuiltin = process.getBuiltinModule;
+        if (typeof getBuiltin === "function") {
+          mod = getBuiltin("node:async_hooks");
+        } else {
+          const req = Function("return typeof require==='function'?require:null")();
+          if (req) mod = req("node:async_hooks");
         }
+        if (mod) als = new mod.AsyncLocalStorage();
       }
     } catch {
       als = null;
@@ -157,6 +169,7 @@ __export(ssr_exports, {
   hydrate: () => hydrate,
   hydrateIslands: () => hydrateIslands,
   hydrateProgressively: () => hydrateProgressively,
+  isDangerousMetaRefresh: () => isDangerousMetaRefresh,
   island: () => island,
   renderToDocument: () => renderToDocument,
   renderToReadableStream: () => renderToReadableStream,
@@ -169,14 +182,12 @@ __export(ssr_exports, {
   suspenseSwapScript: () => suspenseSwapScript,
   trustHTML: () => trustHTML
 });
+function sanitizeUrlAttr(name, value) {
+  return name === "srcset" ? sanitizeSrcset(value) : sanitizeUrl(value);
+}
 function isSafeAttrName(name) {
   return SAFE_ATTR_NAME.test(name);
 }
-function isEventHandlerAttr2(name) {
-  if (name.length < 3) return false;
-  const lower = name.toLowerCase();
-  return lower[0] === "o" && lower[1] === "n" && lower.charCodeAt(2) >= 97 && lower.charCodeAt(2) <= 122;
-}
 function ssrErrorComment(err) {
   if (_isDev8) {
     const msg = escapeHtml(err instanceof Error ? err.message : String(err));
@@ -217,11 +228,11 @@ function renderToString(element) {
   for (const attr of Array.from(element.attributes)) {
     const rawName = attr.name;
     if (!isSafeAttrName(rawName)) continue;
-    if (isEventHandlerAttr2(rawName)) continue;
+    if (isEventHandlerAttr(rawName)) continue;
     const lowerName = rawName.toLowerCase();
     let value = attr.value;
     if (URL_ATTRS.has(lowerName)) {
-      value = sanitizeUrl(value);
+      value = sanitizeUrlAttr(lowerName, value);
       if (!value) continue;
     }
     html2 += ` ${rawName}="${escapeAttr(value)}"`;
@@ -358,11 +369,11 @@ function buildAttrString(attrs, { allowEventHandlers = false } = {}) {
   for (const rawKey of Object.keys(attrs)) {
     if (!Object.hasOwn(attrs, rawKey)) continue;
     if (!isSafeAttrName(rawKey)) continue;
-    if (!allowEventHandlers && isEventHandlerAttr2(rawKey)) continue;
+    if (!allowEventHandlers && isEventHandlerAttr(rawKey)) continue;
     const lowerKey = rawKey.toLowerCase();
     let value = String(attrs[rawKey]);
     if (URL_ATTRS.has(lowerKey)) {
-      value = sanitizeUrl(value);
+      value = sanitizeUrlAttr(lowerKey, value);
       if (!value) continue;
     }
     out.push(`${rawKey}="${escapeAttr(value)}"`);
@@ -370,12 +381,17 @@ function buildAttrString(attrs, { allowEventHandlers = false } = {}) {
   return out.join(" ");
 }
 function isDangerousMetaRefresh(metaProps) {
-  const httpEquiv = metaProps["http-equiv"];
+  let httpEquiv;
+  let content;
+  for (const k in metaProps) {
+    const lk = k.toLowerCase();
+    if (lk === "http-equiv") httpEquiv = metaProps[k];
+    else if (lk === "content") content = metaProps[k];
+  }
   if (typeof httpEquiv !== "string") return false;
   if (httpEquiv.toLowerCase() !== "refresh") return false;
-  const content = metaProps.content;
   if (typeof content !== "string") return false;
-  const normalized = content.replace(/[\x00-\x20\x7f-\x9f]+/g, "").toLowerCase();
+  const normalized = stripControlChars(content).toLowerCase();
   return normalized.includes("url=javascript:") || normalized.includes("url=data:") || normalized.includes("url=vbscript:") || normalized.includes("url=blob:");
 }
 function renderToDocument(component, options = {}) {
@@ -453,11 +469,11 @@ async function* renderToStream(element) {
   for (const attr of Array.from(element.attributes)) {
     const rawName = attr.name;
     if (!isSafeAttrName(rawName)) continue;
-    if (isEventHandlerAttr2(rawName)) continue;
+    if (isEventHandlerAttr(rawName)) continue;
     const lowerName = rawName.toLowerCase();
     let value = attr.value;
     if (URL_ATTRS.has(lowerName)) {
-      value = sanitizeUrl(value);
+      value = sanitizeUrlAttr(lowerName, value);
       if (!value) continue;
     }
     openTag += ` ${rawName}="${escapeAttr(value)}"`;
@@ -533,11 +549,11 @@ function hydrateProgressively(container, islands, options) {
       (entries) => {
         for (const entry of entries) {
           if (entry.isIntersecting) {
+            observer.disconnect();
             const clientTree = factory();
             clientTree.setAttribute("data-sibu-island", id);
             clientTree.setAttribute("data-sibu-hydrated", "true");
             marker2.replaceWith(clientTree);
-            observer.disconnect();
             break;
           }
         }
@@ -901,7 +917,7 @@ function retrack(effectFn, subscriber) {
   }
 }
 function track(effectFn, subscriber) {
-  if (!subscriber) subscriber = effectFn;
+  if (!subscriber) return reactiveBinding(effectFn);
   cleanup(subscriber);
   const prev = currentSubscriber;
   currentSubscriber = subscriber;
@@ -919,6 +935,32 @@ function track(effectFn, subscriber) {
   const sub2 = subscriber;
   return sub2._dispose ?? (sub2._dispose = () => cleanup(subscriber));
 }
+function reactiveBinding(commit) {
+  const run = () => {
+    const s2 = subscriber;
+    if (s2._disposed || s2._reentrant) return;
+    s2._reentrant = true;
+    try {
+      retrack(commit, subscriber);
+    } finally {
+      s2._reentrant = false;
+    }
+  };
+  const subscriber = run;
+  subscriber.depsHead = null;
+  subscriber.depsTail = null;
+  subscriber._epoch = 0;
+  subscriber._structDirty = false;
+  subscriber._runEpoch = 0;
+  subscriber._runs = 0;
+  subscriber._reentrant = false;
+  subscriber._disposed = false;
+  run();
+  return subscriber._dispose ?? (subscriber._dispose = () => {
+    subscriber._disposed = true;
+    cleanup(subscriber);
+  });
+}
 function recordDependency(signal2) {
   if (!currentSubscriber) return;
   const sub2 = currentSubscriber;
@@ -1075,11 +1117,6 @@ var _isDev3 = isDev();
 function setProp(el, key, val) {
   el[key] = val;
 }
-function isEventHandlerAttr(name) {
-  if (name.length < 3) return false;
-  const lower = name.toLowerCase();
-  return lower[0] === "o" && lower[1] === "n" && lower.charCodeAt(2) >= 97 && lower.charCodeAt(2) <= 122;
-}
 function bindAttribute(el, attr, getter) {
   if (isEventHandlerAttr(attr)) {
     if (_isDev3)
@@ -1115,13 +1152,76 @@ function bindAttribute(el, attr, getter) {
       el.setAttribute(attr, isUrlAttribute(attr) ? sanitizeUrl(str) : str);
     }
   }
-  const teardown = track(commit);
-  return teardown;
+  return reactiveBinding(commit);
 }
 
 // src/reactivity/bindChildNode.ts
 init_dev();
+
+// src/core/rendering/dispose.ts
+init_dev();
+var elementDisposers = /* @__PURE__ */ new WeakMap();
 var _isDev4 = isDev();
+var activeBindingCount = 0;
+function registerDisposer(node, teardown) {
+  let disposers = elementDisposers.get(node);
+  if (!disposers) {
+    disposers = [];
+    elementDisposers.set(node, disposers);
+  }
+  disposers.push(teardown);
+  if (_isDev4) activeBindingCount++;
+}
+function dispose(node) {
+  const stack = [node];
+  const order = [];
+  while (stack.length > 0) {
+    const current = stack.pop();
+    order.push(current);
+    const children = Array.from(current.childNodes);
+    for (let i2 = 0; i2 < children.length; i2++) {
+      stack.push(children[i2]);
+    }
+  }
+  for (let i2 = order.length - 1; i2 >= 0; i2--) {
+    const current = order[i2];
+    const disposers = elementDisposers.get(current);
+    if (disposers) {
+      const snapshot = disposers.slice();
+      elementDisposers.delete(current);
+      if (_isDev4) activeBindingCount -= snapshot.length;
+      for (const d of snapshot) {
+        try {
+          d();
+        } catch (err) {
+          if (_isDev4 && typeof console !== "undefined") {
+            console.warn("[SibuJS] Disposer threw during cleanup:", err);
+          }
+        }
+      }
+      let extraPasses = 0;
+      while (extraPasses++ < 8) {
+        const added = elementDisposers.get(current);
+        if (!added || added.length === 0) break;
+        const moreSnapshot = added.slice();
+        elementDisposers.delete(current);
+        if (_isDev4) activeBindingCount -= moreSnapshot.length;
+        for (const d of moreSnapshot) {
+          try {
+            d();
+          } catch (err) {
+            if (_isDev4 && typeof console !== "undefined") {
+              console.warn("[SibuJS] Disposer threw during cleanup:", err);
+            }
+          }
+        }
+      }
+    }
+  }
+}
+
+// src/reactivity/bindChildNode.ts
+var _isDev5 = isDev();
 function bindChildNode(placeholder, getter) {
   let lastNodes = [];
   function commit() {
@@ -1129,12 +1229,13 @@ function bindChildNode(placeholder, getter) {
     try {
       result = getter();
     } catch (err) {
-      if (_isDev4) devWarn(`bindChildNode: getter threw: ${err instanceof Error ? err.message : String(err)}`);
+      if (_isDev5) devWarn(`bindChildNode: getter threw: ${err instanceof Error ? err.message : String(err)}`);
       return;
     }
     if (result == null || typeof result === "boolean") {
       for (let i2 = 0; i2 < lastNodes.length; i2++) {
         const node = lastNodes[i2];
+        dispose(node);
         if (node.parentNode) node.parentNode.removeChild(node);
       }
       lastNodes.length = 0;
@@ -1154,7 +1255,7 @@ function bindChildNode(placeholder, getter) {
         if (item == null || typeof item === "boolean") continue;
         const node = item instanceof Node ? item : document.createTextNode(String(item));
         if (seen.has(node)) {
-          if (_isDev4)
+          if (_isDev5)
             devWarn("bindChildNode: duplicate node reference in array \u2014 only the first occurrence is rendered.");
           continue;
         }
@@ -1176,90 +1277,24 @@ function bindChildNode(placeholder, getter) {
     for (let i2 = 0; i2 < lastNodes.length; i2++) {
       const node = lastNodes[i2];
       if (reused?.has(node)) continue;
+      dispose(node);
       if (node.parentNode) node.parentNode.removeChild(node);
     }
-    const anchor = placeholder.nextSibling;
+    let prev = placeholder;
     for (let i2 = 0; i2 < newNodes.length; i2++) {
       const node = newNodes[i2];
-      if (reused?.has(node) && node.parentNode === parent) {
-        if (node.nextSibling !== anchor) {
-          parent.insertBefore(node, anchor);
-        }
-      } else {
-        parent.insertBefore(node, anchor);
+      if (prev.nextSibling !== node) {
+        parent.insertBefore(node, prev.nextSibling);
       }
+      prev = node;
     }
     lastNodes = newNodes;
   }
-  return track(commit);
+  return reactiveBinding(commit);
 }
 
 // src/core/rendering/tagFactory.ts
 init_sanitize();
-
-// src/core/rendering/dispose.ts
-init_dev();
-var elementDisposers = /* @__PURE__ */ new WeakMap();
-var _isDev5 = isDev();
-var activeBindingCount = 0;
-function registerDisposer(node, teardown) {
-  let disposers = elementDisposers.get(node);
-  if (!disposers) {
-    disposers = [];
-    elementDisposers.set(node, disposers);
-  }
-  disposers.push(teardown);
-  if (_isDev5) activeBindingCount++;
-}
-function dispose(node) {
-  const stack = [node];
-  const order = [];
-  while (stack.length > 0) {
-    const current = stack.pop();
-    order.push(current);
-    const children = Array.from(current.childNodes);
-    for (let i2 = 0; i2 < children.length; i2++) {
-      stack.push(children[i2]);
-    }
-  }
-  for (let i2 = order.length - 1; i2 >= 0; i2--) {
-    const current = order[i2];
-    const disposers = elementDisposers.get(current);
-    if (disposers) {
-      const snapshot = disposers.slice();
-      elementDisposers.delete(current);
-      if (_isDev5) activeBindingCount -= snapshot.length;
-      for (const d of snapshot) {
-        try {
-          d();
-        } catch (err) {
-          if (_isDev5 && typeof console !== "undefined") {
-            console.warn("[SibuJS] Disposer threw during cleanup:", err);
-          }
-        }
-      }
-      let extraPasses = 0;
-      while (extraPasses++ < 8) {
-        const added = elementDisposers.get(current);
-        if (!added || added.length === 0) break;
-        const moreSnapshot = added.slice();
-        elementDisposers.delete(current);
-        if (_isDev5) activeBindingCount -= moreSnapshot.length;
-        for (const d of moreSnapshot) {
-          try {
-            d();
-          } catch (err) {
-            if (_isDev5 && typeof console !== "undefined") {
-              console.warn("[SibuJS] Disposer threw during cleanup:", err);
-            }
-          }
-        }
-      }
-    }
-  }
-}
-
-// src/core/rendering/tagFactory.ts
 var SVG_NS = "http://www.w3.org/2000/svg";
 var _isDev6 = isDev();
 var BLOCKED_TAGS = /* @__PURE__ */ new Set(["script", "iframe", "object", "embed", "frame", "frameset"]);
@@ -1285,6 +1320,18 @@ var CLOBBER_RISKY_IDS = /* @__PURE__ */ new Set([
 function setProp2(el, key, val) {
   el[key] = val;
 }
+function looksLikeClassList(s2) {
+  const t2 = s2.trim();
+  if (!t2) return false;
+  const tokens = t2.split(/\s+/);
+  let sawClassish = false;
+  for (let i2 = 0; i2 < tokens.length; i2++) {
+    const tok = tokens[i2];
+    if (!/^-?[A-Za-z_][A-Za-z0-9_:/.-]*$/.test(tok)) return false;
+    if (/[-:/0-9]/.test(tok)) sawClassish = true;
+  }
+  return sawClassish;
+}
 var kebabCache = /* @__PURE__ */ new Map();
 function toKebab(prop) {
   let cached = kebabCache.get(prop);
@@ -1420,6 +1467,11 @@ var tagFactory = (tag, ns) => {
         appendChildren(el, second);
         return el;
       }
+      if (_isDev6 && looksLikeClassList(first)) {
+        devWarn(
+          `tagFactory: lone string "${first}" looks like a class list but is being rendered as TEXT. For a class, use ${tag}({ class: "${first}" }) \u2014 or ${tag}("${first}", children) to set the class AND add children.`
+        );
+      }
       el.textContent = first;
       return el;
     }
@@ -1477,7 +1529,7 @@ var tagFactory = (tag, ns) => {
           const value = props[key];
           if (value == null) continue;
           const lkey = key.toLowerCase();
-          if (lkey[0] === "o" && lkey[1] === "n") continue;
+          if (isEventHandlerAttr(key)) continue;
           if (typeof value === "function") {
             registerDisposer(el, bindAttribute(el, key, value));
           } else if (typeof value === "boolean") {
@@ -1841,6 +1893,7 @@ function effect(effectFn, options) {
     ctx.fn(ctx.onCleanup);
   };
   const sub2 = (() => {
+    if (ctx.disposed) return;
     if (ctx.running) {
       ctx.rerunPending = true;
       return;
@@ -1880,7 +1933,9 @@ function effect(effectFn, options) {
 init_sanitize();
 function isSafeNavigationTarget(path2) {
   if (path2 === "") return true;
-  return sanitizeUrl(path2) !== "";
+  const normalized = stripControlChars(path2).replace(/\\/g, "/");
+  if (normalized.startsWith("//")) return false;
+  return sanitizeUrl(normalized) !== "";
 }
 var LRUCache = class {
   constructor(maxSize = 100) {
@@ -2017,8 +2072,13 @@ var RouteMatcher = class {
     if (match) {
       const params = {};
       compiled.keys.forEach((key, i2) => {
-        if (match[i2 + 1] !== void 0) {
-          params[key] = decodeURIComponent(match[i2 + 1]);
+        const raw = match[i2 + 1];
+        if (raw !== void 0) {
+          try {
+            params[key] = decodeURIComponent(raw);
+          } catch {
+            params[key] = raw;
+          }
         }
       });
       return { params };
@@ -2069,14 +2129,23 @@ var RouteMatcher = class {
     }
   }
   removeRoute(path2) {
-    this.routeTrie.delete(path2);
-    this.parentChain.delete(path2);
     this.compiledPatterns.clear();
-    for (const [name, route2] of this.namedRoutes) {
-      if (route2.path === path2) {
-        this.namedRoutes.delete(name);
-        break;
-      }
+    const root = this.routeTrie.get(path2);
+    if (!root) return;
+    const removed = /* @__PURE__ */ new Set();
+    const collect = (r) => {
+      removed.add(r);
+      if (r.children) for (const child of r.children) collect(child);
+    };
+    collect(root);
+    for (const [key, route2] of [...this.routeTrie]) {
+      if (removed.has(route2)) this.routeTrie.delete(key);
+    }
+    for (const [key, chain] of [...this.parentChain]) {
+      if (chain.length > 0 && removed.has(chain[chain.length - 1])) this.parentChain.delete(key);
+    }
+    for (const [name, route2] of [...this.namedRoutes]) {
+      if (removed.has(route2)) this.namedRoutes.delete(name);
     }
   }
 };
@@ -2188,42 +2257,61 @@ var GuardManager = class {
     this.afterEachHooks = [];
   }
 };
-var ComponentLoader = class {
+var _ComponentLoader = class _ComponentLoader {
   constructor(cacheSize = 50, retryDelay = 1e3) {
     this.errorCache = /* @__PURE__ */ new Map();
     this.loadingPromises = /* @__PURE__ */ new Map();
+    // Stable per-route-definition id. Caching by the RESOLVED path (e.g.
+    // /users/123) gave the cache one entry per visited URL, so parameterized
+    // routes thrashed/evicted and the component was reloaded every navigation.
+    // Keying by route-definition identity makes the cache effective again.
+    this.routeKeys = /* @__PURE__ */ new WeakMap();
+    this.keyCounter = 0;
     this.componentCache = new LRUCache(cacheSize);
     this.retryDelay = retryDelay;
   }
+  keyFor(route2) {
+    let key = this.routeKeys.get(route2);
+    if (key === void 0) {
+      key = `route#${this.keyCounter++}`;
+      this.routeKeys.set(route2, key);
+    }
+    return key;
+  }
   async loadComponent(route2, routePath) {
     if (!("component" in route2)) {
       throw new Error(`Route ${routePath} does not have a component`);
     }
     const comp = route2.component;
-    const cached = this.componentCache.get(routePath);
+    const cacheKey = this.keyFor(route2);
+    const cached = this.componentCache.get(cacheKey);
     if (cached) return cached;
-    const existingPromise = this.loadingPromises.get(routePath);
+    const existingPromise = this.loadingPromises.get(cacheKey);
     if (existingPromise) return existingPromise;
-    const errorInfo = this.errorCache.get(routePath);
+    const errorInfo = this.errorCache.get(cacheKey);
     if (errorInfo && Date.now() - errorInfo.timestamp < this.retryDelay) {
       throw new Error(`Component loading failed recently, retry in ${this.retryDelay}ms`);
     }
     const loadingPromise = this.doLoadComponent(comp, routePath);
-    this.loadingPromises.set(routePath, loadingPromise);
+    this.loadingPromises.set(cacheKey, loadingPromise);
     try {
       const component = await loadingPromise;
-      this.componentCache.set(routePath, component);
-      this.errorCache.delete(routePath);
+      this.componentCache.set(cacheKey, component);
+      this.errorCache.delete(cacheKey);
       return component;
     } catch (error) {
-      const currentError = this.errorCache.get(routePath) || { timestamp: 0, count: 0 };
-      this.errorCache.set(routePath, {
+      const currentError = this.errorCache.get(cacheKey) || { timestamp: 0, count: 0 };
+      if (!this.errorCache.has(cacheKey) && this.errorCache.size >= _ComponentLoader.MAX_ERROR_ENTRIES) {
+        const oldest = this.errorCache.keys().next().value;
+        if (oldest !== void 0) this.errorCache.delete(oldest);
+      }
+      this.errorCache.set(cacheKey, {
         timestamp: Date.now(),
         count: currentError.count + 1
       });
       throw error;
     } finally {
-      this.loadingPromises.delete(routePath);
+      this.loadingPromises.delete(cacheKey);
     }
   }
   async doLoadComponent(comp, routePath) {
@@ -2277,6 +2365,8 @@ var ComponentLoader = class {
     this.loadingPromises.clear();
   }
 };
+_ComponentLoader.MAX_ERROR_ENTRIES = 256;
+var ComponentLoader = _ComponentLoader;
 var _SibuRouter = class _SibuRouter {
   constructor(routes, options = {}) {
     // Event listeners cleanup
@@ -2342,7 +2432,7 @@ var _SibuRouter = class _SibuRouter {
       return window.location.hash.slice(1) || "/";
     }
     let path2 = window.location.pathname;
-    if (base2 && path2.startsWith(base2)) {
+    if (base2 && (path2 === base2 || path2.startsWith(`${base2}/`))) {
       path2 = path2.slice(base2.length);
     }
     return (path2 || "/") + window.location.search + window.location.hash;
@@ -2475,7 +2565,7 @@ var _SibuRouter = class _SibuRouter {
     }
     if (to.params) {
       for (const [key, value] of Object.entries(to.params)) {
-        path2 = path2.replace(`:${key}`, encodeURIComponent(value));
+        path2 = path2.replace(new RegExp(`:${key}(?=[/?#]|$)`, "g"), encodeURIComponent(value));
       }
     }
     if (to.query && Object.keys(to.query).length > 0) {
@@ -2905,7 +2995,8 @@ function KeepAliveRoute(options) {
       return;
     }
     if (!("component" in routeDef)) return;
-    const cacheKey = route2.path;
+    const queryStr = Object.keys(route2.query).length > 0 ? `?${new URLSearchParams(route2.query).toString()}` : "";
+    const cacheKey = `${route2.path}${queryStr}${route2.hash ? `#${route2.hash}` : ""}`;
     const shouldCache = !includeNames || routeDef.name != null && includeNames.includes(routeDef.name);
     if (cacheKey === currentKey && currentNode) return;
     isUpdating = true;
@@ -2995,7 +3086,8 @@ function RouterLink(props) {
   const { to, replace: replace2 = false, activeClass, exactActiveClass, nodes, target, rel, class: classAttr, ...attrs } = props;
   const baseClass = typeof classAttr === "string" ? classAttr : "";
   const routeGetter = globalRouter.routeGetter;
-  const href = globalRouter["resolvePath"](to);
+  const rawHref = globalRouter["resolvePath"](to);
+  const href = isSafeNavigationTarget(rawHref) ? rawHref : "#";
   const hrefPath = href.split("?")[0].split("#")[0];
   const link2 = document.createElement("a");
   link2.href = href;
@@ -3027,9 +3119,18 @@ function RouterLink(props) {
   });
   registerDisposer(link2, effectCleanup);
   Object.entries(attrs).forEach(([key, value]) => {
-    if (key.startsWith("on") || key === "href") return;
+    const lkey = key.toLowerCase();
+    if (lkey === "href" || lkey[0] === "o" && lkey[1] === "n") return;
     if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
-      link2.setAttribute(key, String(value));
+      const str = String(value);
+      if (isUrlAttribute(lkey)) {
+        const safe = sanitizeUrl(str);
+        if (safe) link2.setAttribute(key, safe);
+      } else if (lkey === "style") {
+        link2.setAttribute(key, sanitizeCSSValue(str));
+      } else {
+        link2.setAttribute(key, str);
+      }
     }
   });
   if (typeof nodes === "string") {
@@ -3280,10 +3381,14 @@ function createMemoryRouter(routes, _initialPath = "/") {
 
 // src/plugins/routerSSR.ts
 init_ssr();
-var FORBIDDEN_KEYS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
-function isForbiddenKey(key) {
-  return FORBIDDEN_KEYS.has(key);
+
+// src/utils/guards.ts
+var UNSAFE_KEYS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
+function isUnsafeKey(key) {
+  return UNSAFE_KEYS.has(key);
 }
+
+// src/plugins/routerSSR.ts
 function safeDecode(raw) {
   try {
     return decodeURIComponent(raw);
@@ -3324,7 +3429,7 @@ function parseURL(url) {
         key = safeDecode(pair.slice(0, eqIndex));
         value = safeDecode(pair.slice(eqIndex + 1));
       }
-      if (isForbiddenKey(key)) continue;
+      if (isUnsafeKey(key)) continue;
       query[key] = value;
     }
   }
@@ -3386,7 +3491,7 @@ function matchRoute(path2, routes, parentPath = "", parentChain = []) {
       const params = nullObject();
       for (let i2 = 0; i2 < compiled.keys.length; i2++) {
         const key = compiled.keys[i2];
-        if (isForbiddenKey(key)) continue;
+        if (isUnsafeKey(key)) continue;
         if (match[i2 + 1] !== void 0) {
           params[key] = safeDecode(match[i2 + 1]);
         }
@@ -3483,7 +3588,7 @@ function renderRouteToString(url, routes, _options) {
 function renderRouteToDocument(url, routes, options) {
   const { html: html2, state } = renderRouteToString(url, routes, options);
   const opts = options || {};
-  const metaTags = (opts.meta || []).map((attrs) => {
+  const metaTags = (opts.meta || []).filter((attrs) => !isDangerousMetaRefresh(attrs)).map((attrs) => {
     const pairs = buildSafeAttrString(attrs);
     return pairs ? `<meta ${pairs} />` : "";
   }).filter(Boolean).join("\n    ");
@@ -3563,7 +3668,7 @@ var SAFE_ATTR_NAME2 = /^[A-Za-z_:][-A-Za-z0-9_.:]*$/;
 function isSafeAttrName2(name) {
   return SAFE_ATTR_NAME2.test(name);
 }
-function isEventHandlerAttr3(name) {
+function isEventHandlerAttr2(name) {
   if (name.length < 3) return false;
   const lower = name.toLowerCase();
   return lower[0] === "o" && lower[1] === "n" && lower.charCodeAt(2) >= 97 && lower.charCodeAt(2) <= 122;
@@ -3596,7 +3701,7 @@ function buildSafeAttrString(attrs) {
   for (const rawKey of Object.keys(attrs)) {
     if (!Object.hasOwn(attrs, rawKey)) continue;
     if (!isSafeAttrName2(rawKey)) continue;
-    if (isEventHandlerAttr3(rawKey)) continue;
+    if (isEventHandlerAttr2(rawKey)) continue;
     const lowerKey = rawKey.toLowerCase();
     let value = String(attrs[rawKey]);
     if (URL_ATTRS2.has(lowerKey)) {