sibujs 3.1.0 → 3.2.0

package/dist/plugins.js

@@ -18,7 +18,10 @@ import {
   preloadCritical,
   prerenderRoutes,
   satisfies
-} from "./chunk-LYTCUZ7H.js";
+} from "./chunk-RDRSWYNP.js";
+import {
+  isUnsafeKey
+} from "./chunk-H3SRKIYX.js";
 import {
   createPlugin,
   createPluginRegistry,
@@ -32,30 +35,34 @@ import {
 } from "./chunk-3JHCYHWN.js";
 import {
   span
-} from "./chunk-2HAGQWDV.js";
+} from "./chunk-5N74TKLD.js";
 import {
   escapeScriptJson,
+  isDangerousMetaRefresh,
   renderToString
-} from "./chunk-JYD2PWXH.js";
-import "./chunk-WKUXSE7V.js";
-import "./chunk-2ZJ7TSW4.js";
+} from "./chunk-HXMS4SNP.js";
+import "./chunk-X67UYC74.js";
+import "./chunk-RLUJL2MV.js";
 import {
   dispose,
   registerDisposer
 } from "./chunk-2UPRY23K.js";
 import {
-  sanitizeUrl
-} from "./chunk-UCS6AMJ7.js";
+  isUrlAttribute,
+  sanitizeCSSValue,
+  sanitizeUrl,
+  stripControlChars
+} from "./chunk-HMJFCBRR.js";
 import {
   effect
-} from "./chunk-ZIBE2SAT.js";
-import "./chunk-2RA7SHDA.js";
+} from "./chunk-FDY42FIU.js";
+import "./chunk-GOJMFRBL.js";
 import {
   signal
-} from "./chunk-RK4BQG25.js";
+} from "./chunk-C427DVQF.js";
 import {
   track
-} from "./chunk-3U4ZVXVD.js";
+} from "./chunk-Z2FWAE4B.js";
 import "./chunk-LMLD24FC.js";
 
 // src/plugins/i18n.ts
@@ -89,7 +96,9 @@ function getAvailableLocales() {
 // src/plugins/router.ts
 function isSafeNavigationTarget(path) {
   if (path === "") return true;
-  return sanitizeUrl(path) !== "";
+  const normalized = stripControlChars(path).replace(/\\/g, "/");
+  if (normalized.startsWith("//")) return false;
+  return sanitizeUrl(normalized) !== "";
 }
 var LRUCache = class {
   constructor(maxSize = 100) {
@@ -226,8 +235,13 @@ var RouteMatcher = class {
     if (match) {
       const params = {};
       compiled.keys.forEach((key, i) => {
-        if (match[i + 1] !== void 0) {
-          params[key] = decodeURIComponent(match[i + 1]);
+        const raw = match[i + 1];
+        if (raw !== void 0) {
+          try {
+            params[key] = decodeURIComponent(raw);
+          } catch {
+            params[key] = raw;
+          }
         }
       });
       return { params };
@@ -278,14 +292,23 @@ var RouteMatcher = class {
     }
   }
   removeRoute(path) {
-    this.routeTrie.delete(path);
-    this.parentChain.delete(path);
     this.compiledPatterns.clear();
-    for (const [name, route2] of this.namedRoutes) {
-      if (route2.path === path) {
-        this.namedRoutes.delete(name);
-        break;
-      }
+    const root = this.routeTrie.get(path);
+    if (!root) return;
+    const removed = /* @__PURE__ */ new Set();
+    const collect = (r) => {
+      removed.add(r);
+      if (r.children) for (const child of r.children) collect(child);
+    };
+    collect(root);
+    for (const [key, route2] of [...this.routeTrie]) {
+      if (removed.has(route2)) this.routeTrie.delete(key);
+    }
+    for (const [key, chain] of [...this.parentChain]) {
+      if (chain.length > 0 && removed.has(chain[chain.length - 1])) this.parentChain.delete(key);
+    }
+    for (const [name, route2] of [...this.namedRoutes]) {
+      if (removed.has(route2)) this.namedRoutes.delete(name);
     }
   }
 };
@@ -397,42 +420,61 @@ var GuardManager = class {
     this.afterEachHooks = [];
   }
 };
-var ComponentLoader = class {
+var _ComponentLoader = class _ComponentLoader {
   constructor(cacheSize = 50, retryDelay = 1e3) {
     this.errorCache = /* @__PURE__ */ new Map();
     this.loadingPromises = /* @__PURE__ */ new Map();
+    // Stable per-route-definition id. Caching by the RESOLVED path (e.g.
+    // /users/123) gave the cache one entry per visited URL, so parameterized
+    // routes thrashed/evicted and the component was reloaded every navigation.
+    // Keying by route-definition identity makes the cache effective again.
+    this.routeKeys = /* @__PURE__ */ new WeakMap();
+    this.keyCounter = 0;
     this.componentCache = new LRUCache(cacheSize);
     this.retryDelay = retryDelay;
   }
+  keyFor(route2) {
+    let key = this.routeKeys.get(route2);
+    if (key === void 0) {
+      key = `route#${this.keyCounter++}`;
+      this.routeKeys.set(route2, key);
+    }
+    return key;
+  }
   async loadComponent(route2, routePath) {
     if (!("component" in route2)) {
       throw new Error(`Route ${routePath} does not have a component`);
     }
     const comp = route2.component;
-    const cached = this.componentCache.get(routePath);
+    const cacheKey = this.keyFor(route2);
+    const cached = this.componentCache.get(cacheKey);
     if (cached) return cached;
-    const existingPromise = this.loadingPromises.get(routePath);
+    const existingPromise = this.loadingPromises.get(cacheKey);
     if (existingPromise) return existingPromise;
-    const errorInfo = this.errorCache.get(routePath);
+    const errorInfo = this.errorCache.get(cacheKey);
     if (errorInfo && Date.now() - errorInfo.timestamp < this.retryDelay) {
       throw new Error(`Component loading failed recently, retry in ${this.retryDelay}ms`);
     }
     const loadingPromise = this.doLoadComponent(comp, routePath);
-    this.loadingPromises.set(routePath, loadingPromise);
+    this.loadingPromises.set(cacheKey, loadingPromise);
     try {
       const component = await loadingPromise;
-      this.componentCache.set(routePath, component);
-      this.errorCache.delete(routePath);
+      this.componentCache.set(cacheKey, component);
+      this.errorCache.delete(cacheKey);
       return component;
     } catch (error) {
-      const currentError = this.errorCache.get(routePath) || { timestamp: 0, count: 0 };
-      this.errorCache.set(routePath, {
+      const currentError = this.errorCache.get(cacheKey) || { timestamp: 0, count: 0 };
+      if (!this.errorCache.has(cacheKey) && this.errorCache.size >= _ComponentLoader.MAX_ERROR_ENTRIES) {
+        const oldest = this.errorCache.keys().next().value;
+        if (oldest !== void 0) this.errorCache.delete(oldest);
+      }
+      this.errorCache.set(cacheKey, {
         timestamp: Date.now(),
         count: currentError.count + 1
       });
       throw error;
     } finally {
-      this.loadingPromises.delete(routePath);
+      this.loadingPromises.delete(cacheKey);
     }
   }
   async doLoadComponent(comp, routePath) {
@@ -486,6 +528,8 @@ var ComponentLoader = class {
     this.loadingPromises.clear();
   }
 };
+_ComponentLoader.MAX_ERROR_ENTRIES = 256;
+var ComponentLoader = _ComponentLoader;
 var _SibuRouter = class _SibuRouter {
   constructor(routes, options = {}) {
     // Event listeners cleanup
@@ -551,7 +595,7 @@ var _SibuRouter = class _SibuRouter {
       return window.location.hash.slice(1) || "/";
     }
     let path = window.location.pathname;
-    if (base && path.startsWith(base)) {
+    if (base && (path === base || path.startsWith(`${base}/`))) {
       path = path.slice(base.length);
     }
     return (path || "/") + window.location.search + window.location.hash;
@@ -684,7 +728,7 @@ var _SibuRouter = class _SibuRouter {
     }
     if (to.params) {
       for (const [key, value] of Object.entries(to.params)) {
-        path = path.replace(`:${key}`, encodeURIComponent(value));
+        path = path.replace(new RegExp(`:${key}(?=[/?#]|$)`, "g"), encodeURIComponent(value));
       }
     }
     if (to.query && Object.keys(to.query).length > 0) {
@@ -1114,7 +1158,8 @@ function KeepAliveRoute(options) {
       return;
     }
     if (!("component" in routeDef)) return;
-    const cacheKey = route2.path;
+    const queryStr = Object.keys(route2.query).length > 0 ? `?${new URLSearchParams(route2.query).toString()}` : "";
+    const cacheKey = `${route2.path}${queryStr}${route2.hash ? `#${route2.hash}` : ""}`;
     const shouldCache = !includeNames || routeDef.name != null && includeNames.includes(routeDef.name);
     if (cacheKey === currentKey && currentNode) return;
     isUpdating = true;
@@ -1204,7 +1249,8 @@ function RouterLink(props) {
   const { to, replace: replace2 = false, activeClass, exactActiveClass, nodes, target, rel, class: classAttr, ...attrs } = props;
   const baseClass = typeof classAttr === "string" ? classAttr : "";
   const routeGetter = globalRouter.routeGetter;
-  const href = globalRouter["resolvePath"](to);
+  const rawHref = globalRouter["resolvePath"](to);
+  const href = isSafeNavigationTarget(rawHref) ? rawHref : "#";
   const hrefPath = href.split("?")[0].split("#")[0];
   const link = document.createElement("a");
   link.href = href;
@@ -1236,9 +1282,18 @@ function RouterLink(props) {
   });
   registerDisposer(link, effectCleanup);
   Object.entries(attrs).forEach(([key, value]) => {
-    if (key.startsWith("on") || key === "href") return;
+    const lkey = key.toLowerCase();
+    if (lkey === "href" || lkey[0] === "o" && lkey[1] === "n") return;
     if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
-      link.setAttribute(key, String(value));
+      const str = String(value);
+      if (isUrlAttribute(lkey)) {
+        const safe = sanitizeUrl(str);
+        if (safe) link.setAttribute(key, safe);
+      } else if (lkey === "style") {
+        link.setAttribute(key, sanitizeCSSValue(str));
+      } else {
+        link.setAttribute(key, str);
+      }
     }
   });
   if (typeof nodes === "string") {
@@ -1488,10 +1543,6 @@ function createMemoryRouter(routes, _initialPath = "/") {
 }
 
 // src/plugins/routerSSR.ts
-var FORBIDDEN_KEYS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
-function isForbiddenKey(key) {
-  return FORBIDDEN_KEYS.has(key);
-}
 function safeDecode(raw) {
   try {
     return decodeURIComponent(raw);
@@ -1532,7 +1583,7 @@ function parseURL(url) {
         key = safeDecode(pair.slice(0, eqIndex));
         value = safeDecode(pair.slice(eqIndex + 1));
       }
-      if (isForbiddenKey(key)) continue;
+      if (isUnsafeKey(key)) continue;
       query[key] = value;
     }
   }
@@ -1594,7 +1645,7 @@ function matchRoute(path, routes, parentPath = "", parentChain = []) {
       const params = nullObject();
       for (let i = 0; i < compiled.keys.length; i++) {
         const key = compiled.keys[i];
-        if (isForbiddenKey(key)) continue;
+        if (isUnsafeKey(key)) continue;
         if (match[i + 1] !== void 0) {
           params[key] = safeDecode(match[i + 1]);
         }
@@ -1691,7 +1742,7 @@ function renderRouteToString(url, routes, _options) {
 function renderRouteToDocument(url, routes, options) {
   const { html, state } = renderRouteToString(url, routes, options);
   const opts = options || {};
-  const metaTags = (opts.meta || []).map((attrs) => {
+  const metaTags = (opts.meta || []).filter((attrs) => !isDangerousMetaRefresh(attrs)).map((attrs) => {
     const pairs = buildSafeAttrString(attrs);
     return pairs ? `<meta ${pairs} />` : "";
   }).filter(Boolean).join("\n    ");
@@ -1742,7 +1793,7 @@ function hydrateRouter(routes, options) {
   if (container && serverState.path) {
     const resolved = resolveServerRoute(serverState.path, routes);
     if (resolved.component) {
-      import("./ssr-FXD2PPMC.js").then(({ hydrate }) => {
+      import("./ssr-2QDQ27EV.js").then(({ hydrate }) => {
         if (resolved.component) {
           hydrate(resolved.component, container);
         }

package/dist/{ssr-FXD2PPMC.js → ssr-2QDQ27EV.js}

@@ -5,6 +5,7 @@ import {
   hydrate,
   hydrateIslands,
   hydrateProgressively,
+  isDangerousMetaRefresh,
   island,
   renderToDocument,
   renderToReadableStream,
@@ -16,9 +17,9 @@ import {
   ssrSuspense,
   suspenseSwapScript,
   trustHTML
-} from "./chunk-JYD2PWXH.js";
-import "./chunk-UCS6AMJ7.js";
-import "./chunk-2RA7SHDA.js";
+} from "./chunk-HXMS4SNP.js";
+import "./chunk-HMJFCBRR.js";
+import "./chunk-GOJMFRBL.js";
 import "./chunk-LMLD24FC.js";
 export {
   collectStream,
@@ -27,6 +28,7 @@ export {
   hydrate,
   hydrateIslands,
   hydrateProgressively,
+  isDangerousMetaRefresh,
   island,
   renderToDocument,
   renderToReadableStream,

package/dist/{ssr-CrVNy6Pa.d.cts → ssr-D62yFwuw.d.cts}

@@ -57,6 +57,13 @@ type TrustedHTML = string & {
  * ```
  */
 declare function trustHTML(html: string): TrustedHTML;
+/**
+ * Detect `<meta http-equiv="refresh" content="0;url=javascript:...">`.
+ * Returns true if the props describe a refresh directive whose URL uses
+ * a dangerous protocol — in which case the entire meta entry must be
+ * dropped to avoid an XSS vector via the browser refresh mechanism.
+ */
+declare function isDangerousMetaRefresh(metaProps: Record<string, string>): boolean;
 /**
  * Renders a component to a full HTML document string.
  *
@@ -192,4 +199,4 @@ declare function serializeState(state: Record<string, unknown>, nonce?: string,
  */
 declare function deserializeState<T = Record<string, unknown>>(validate?: (data: unknown) => data is T): T | undefined;
 
-export { type HydrateOptions as H, type TrustedHTML as T, type HydrationMismatch as a, hydrateIslands as b, collectStream as c, deserializeState as d, escapeScriptJson as e, hydrateProgressively as f, renderToReadableStream as g, hydrate as h, island as i, renderToStream as j, renderToString as k, renderToSuspenseStream as l, resetSSRState as m, ssrSuspense as n, suspenseSwapScript as o, renderToDocument as r, serializeState as s, trustHTML as t };
+export { type HydrateOptions as H, type TrustedHTML as T, type HydrationMismatch as a, hydrateIslands as b, collectStream as c, deserializeState as d, escapeScriptJson as e, hydrateProgressively as f, island as g, hydrate as h, isDangerousMetaRefresh as i, renderToReadableStream as j, renderToStream as k, renderToString as l, renderToSuspenseStream as m, resetSSRState as n, ssrSuspense as o, suspenseSwapScript as p, renderToDocument as r, serializeState as s, trustHTML as t };

package/dist/{ssr-CrVNy6Pa.d.ts → ssr-D62yFwuw.d.ts}

@@ -57,6 +57,13 @@ type TrustedHTML = string & {
  * ```
  */
 declare function trustHTML(html: string): TrustedHTML;
+/**
+ * Detect `<meta http-equiv="refresh" content="0;url=javascript:...">`.
+ * Returns true if the props describe a refresh directive whose URL uses
+ * a dangerous protocol — in which case the entire meta entry must be
+ * dropped to avoid an XSS vector via the browser refresh mechanism.
+ */
+declare function isDangerousMetaRefresh(metaProps: Record<string, string>): boolean;
 /**
  * Renders a component to a full HTML document string.
  *
@@ -192,4 +199,4 @@ declare function serializeState(state: Record<string, unknown>, nonce?: string,
  */
 declare function deserializeState<T = Record<string, unknown>>(validate?: (data: unknown) => data is T): T | undefined;
 
-export { type HydrateOptions as H, type TrustedHTML as T, type HydrationMismatch as a, hydrateIslands as b, collectStream as c, deserializeState as d, escapeScriptJson as e, hydrateProgressively as f, renderToReadableStream as g, hydrate as h, island as i, renderToStream as j, renderToString as k, renderToSuspenseStream as l, resetSSRState as m, ssrSuspense as n, suspenseSwapScript as o, renderToDocument as r, serializeState as s, trustHTML as t };
+export { type HydrateOptions as H, type TrustedHTML as T, type HydrationMismatch as a, hydrateIslands as b, collectStream as c, deserializeState as d, escapeScriptJson as e, hydrateProgressively as f, island as g, hydrate as h, isDangerousMetaRefresh as i, renderToReadableStream as j, renderToStream as k, renderToString as l, renderToSuspenseStream as m, resetSSRState as n, ssrSuspense as o, suspenseSwapScript as p, renderToDocument as r, serializeState as s, trustHTML as t };