sibujs 3.1.0 → 3.2.1

package/dist/plugins.cjs

@@ -43,8 +43,16 @@ var init_dev = __esm({
 });
 
 // src/utils/sanitize.ts
+function stripControlChars(value) {
+  return value.replace(/[\x00-\x20\x7f-\x9f]+/g, "");
+}
+function isEventHandlerAttr(name) {
+  if (name.length < 3) return false;
+  const lower = name.toLowerCase();
+  return lower[0] === "o" && lower[1] === "n" && lower.charCodeAt(2) >= 97 && lower.charCodeAt(2) <= 122;
+}
 function sanitizeUrl(url) {
-  const trimmed = url.replace(/[\x00-\x20\x7f-\x9f]+/g, "").trim();
+  const trimmed = stripControlChars(url).trim();
   if (!trimmed) return "";
   const lower = trimmed.toLowerCase();
   let schemeEnd = -1;
@@ -93,7 +101,7 @@ function sanitizeCSSValue(value) {
   return value;
 }
 function isUrlAttribute(attr) {
-  return URL_ATTRIBUTES.has(attr);
+  return URL_ATTRIBUTES.has(attr.toLowerCase());
 }
 var SAFE_URL_PROTOCOLS, URL_ATTRIBUTES;
 var init_sanitize = __esm({
@@ -135,11 +143,15 @@ var init_ssr_context = __esm({
     als = null;
     try {
       if (typeof process !== "undefined" && process.versions && process.versions.node) {
-        const req = Function("return typeof require==='function'?require:null")();
-        if (req) {
-          const mod = req("node:async_hooks");
-          als = new mod.AsyncLocalStorage();
+        let mod = null;
+        const getBuiltin = process.getBuiltinModule;
+        if (typeof getBuiltin === "function") {
+          mod = getBuiltin("node:async_hooks");
+        } else {
+          const req = Function("return typeof require==='function'?require:null")();
+          if (req) mod = req("node:async_hooks");
         }
+        if (mod) als = new mod.AsyncLocalStorage();
       }
     } catch {
       als = null;
@@ -157,6 +169,7 @@ __export(ssr_exports, {
   hydrate: () => hydrate,
   hydrateIslands: () => hydrateIslands,
   hydrateProgressively: () => hydrateProgressively,
+  isDangerousMetaRefresh: () => isDangerousMetaRefresh,
   island: () => island,
   renderToDocument: () => renderToDocument,
   renderToReadableStream: () => renderToReadableStream,
@@ -169,14 +182,12 @@ __export(ssr_exports, {
   suspenseSwapScript: () => suspenseSwapScript,
   trustHTML: () => trustHTML
 });
+function sanitizeUrlAttr(name, value) {
+  return name === "srcset" ? sanitizeSrcset(value) : sanitizeUrl(value);
+}
 function isSafeAttrName(name) {
   return SAFE_ATTR_NAME.test(name);
 }
-function isEventHandlerAttr2(name) {
-  if (name.length < 3) return false;
-  const lower = name.toLowerCase();
-  return lower[0] === "o" && lower[1] === "n" && lower.charCodeAt(2) >= 97 && lower.charCodeAt(2) <= 122;
-}
 function ssrErrorComment(err) {
   if (_isDev8) {
     const msg = escapeHtml(err instanceof Error ? err.message : String(err));
@@ -217,11 +228,11 @@ function renderToString(element) {
   for (const attr of Array.from(element.attributes)) {
     const rawName = attr.name;
     if (!isSafeAttrName(rawName)) continue;
-    if (isEventHandlerAttr2(rawName)) continue;
+    if (isEventHandlerAttr(rawName)) continue;
     const lowerName = rawName.toLowerCase();
     let value = attr.value;
     if (URL_ATTRS.has(lowerName)) {
-      value = sanitizeUrl(value);
+      value = sanitizeUrlAttr(lowerName, value);
       if (!value) continue;
     }
     html2 += ` ${rawName}="${escapeAttr(value)}"`;
@@ -358,11 +369,11 @@ function buildAttrString(attrs, { allowEventHandlers = false } = {}) {
   for (const rawKey of Object.keys(attrs)) {
     if (!Object.hasOwn(attrs, rawKey)) continue;
     if (!isSafeAttrName(rawKey)) continue;
-    if (!allowEventHandlers && isEventHandlerAttr2(rawKey)) continue;
+    if (!allowEventHandlers && isEventHandlerAttr(rawKey)) continue;
     const lowerKey = rawKey.toLowerCase();
     let value = String(attrs[rawKey]);
     if (URL_ATTRS.has(lowerKey)) {
-      value = sanitizeUrl(value);
+      value = sanitizeUrlAttr(lowerKey, value);
       if (!value) continue;
     }
     out.push(`${rawKey}="${escapeAttr(value)}"`);
@@ -370,12 +381,17 @@ function buildAttrString(attrs, { allowEventHandlers = false } = {}) {
   return out.join(" ");
 }
 function isDangerousMetaRefresh(metaProps) {
-  const httpEquiv = metaProps["http-equiv"];
+  let httpEquiv;
+  let content;
+  for (const k in metaProps) {
+    const lk = k.toLowerCase();
+    if (lk === "http-equiv") httpEquiv = metaProps[k];
+    else if (lk === "content") content = metaProps[k];
+  }
   if (typeof httpEquiv !== "string") return false;
   if (httpEquiv.toLowerCase() !== "refresh") return false;
-  const content = metaProps.content;
   if (typeof content !== "string") return false;
-  const normalized = content.replace(/[\x00-\x20\x7f-\x9f]+/g, "").toLowerCase();
+  const normalized = stripControlChars(content).toLowerCase();
   return normalized.includes("url=javascript:") || normalized.includes("url=data:") || normalized.includes("url=vbscript:") || normalized.includes("url=blob:");
 }
 function renderToDocument(component, options = {}) {
@@ -453,11 +469,11 @@ async function* renderToStream(element) {
   for (const attr of Array.from(element.attributes)) {
     const rawName = attr.name;
     if (!isSafeAttrName(rawName)) continue;
-    if (isEventHandlerAttr2(rawName)) continue;
+    if (isEventHandlerAttr(rawName)) continue;
     const lowerName = rawName.toLowerCase();
     let value = attr.value;
     if (URL_ATTRS.has(lowerName)) {
-      value = sanitizeUrl(value);
+      value = sanitizeUrlAttr(lowerName, value);
       if (!value) continue;
     }
     openTag += ` ${rawName}="${escapeAttr(value)}"`;
@@ -533,11 +549,11 @@ function hydrateProgressively(container, islands, options) {
       (entries) => {
         for (const entry of entries) {
           if (entry.isIntersecting) {
+            observer.disconnect();
             const clientTree = factory();
             clientTree.setAttribute("data-sibu-island", id);
             clientTree.setAttribute("data-sibu-hydrated", "true");
             marker2.replaceWith(clientTree);
-            observer.disconnect();
             break;
           }
         }
@@ -922,7 +938,7 @@ function track(effectFn, subscriber) {
 function reactiveBinding(commit) {
   const run = () => {
     const s2 = subscriber;
-    if (s2._reentrant) return;
+    if (s2._disposed || s2._reentrant) return;
     s2._reentrant = true;
     try {
       retrack(commit, subscriber);
@@ -938,8 +954,12 @@ function reactiveBinding(commit) {
   subscriber._runEpoch = 0;
   subscriber._runs = 0;
   subscriber._reentrant = false;
+  subscriber._disposed = false;
   run();
-  return subscriber._dispose ?? (subscriber._dispose = () => cleanup(subscriber));
+  return subscriber._dispose ?? (subscriber._dispose = () => {
+    subscriber._disposed = true;
+    cleanup(subscriber);
+  });
 }
 function recordDependency(signal2) {
   if (!currentSubscriber) return;
@@ -1097,11 +1117,6 @@ var _isDev3 = isDev();
 function setProp(el, key, val) {
   el[key] = val;
 }
-function isEventHandlerAttr(name) {
-  if (name.length < 3) return false;
-  const lower = name.toLowerCase();
-  return lower[0] === "o" && lower[1] === "n" && lower.charCodeAt(2) >= 97 && lower.charCodeAt(2) <= 122;
-}
 function bindAttribute(el, attr, getter) {
   if (isEventHandlerAttr(attr)) {
     if (_isDev3)
@@ -1142,7 +1157,71 @@ function bindAttribute(el, attr, getter) {
 
 // src/reactivity/bindChildNode.ts
 init_dev();
+
+// src/core/rendering/dispose.ts
+init_dev();
+var elementDisposers = /* @__PURE__ */ new WeakMap();
 var _isDev4 = isDev();
+var activeBindingCount = 0;
+function registerDisposer(node, teardown) {
+  let disposers = elementDisposers.get(node);
+  if (!disposers) {
+    disposers = [];
+    elementDisposers.set(node, disposers);
+  }
+  disposers.push(teardown);
+  if (_isDev4) activeBindingCount++;
+}
+function dispose(node) {
+  const stack = [node];
+  const order = [];
+  while (stack.length > 0) {
+    const current = stack.pop();
+    order.push(current);
+    const children = Array.from(current.childNodes);
+    for (let i2 = 0; i2 < children.length; i2++) {
+      stack.push(children[i2]);
+    }
+  }
+  for (let i2 = order.length - 1; i2 >= 0; i2--) {
+    const current = order[i2];
+    const disposers = elementDisposers.get(current);
+    if (disposers) {
+      const snapshot = disposers.slice();
+      elementDisposers.delete(current);
+      if (_isDev4) activeBindingCount -= snapshot.length;
+      for (const d of snapshot) {
+        try {
+          d();
+        } catch (err) {
+          if (_isDev4 && typeof console !== "undefined") {
+            console.warn("[SibuJS] Disposer threw during cleanup:", err);
+          }
+        }
+      }
+      let extraPasses = 0;
+      while (extraPasses++ < 8) {
+        const added = elementDisposers.get(current);
+        if (!added || added.length === 0) break;
+        const moreSnapshot = added.slice();
+        elementDisposers.delete(current);
+        if (_isDev4) activeBindingCount -= moreSnapshot.length;
+        for (const d of moreSnapshot) {
+          try {
+            d();
+          } catch (err) {
+            if (_isDev4 && typeof console !== "undefined") {
+              console.warn("[SibuJS] Disposer threw during cleanup:", err);
+            }
+          }
+        }
+      }
+    }
+  }
+}
+
+// src/reactivity/bindChildNode.ts
+var _isDev5 = isDev();
 function bindChildNode(placeholder, getter) {
   let lastNodes = [];
   function commit() {
@@ -1150,12 +1229,13 @@ function bindChildNode(placeholder, getter) {
     try {
       result = getter();
     } catch (err) {
-      if (_isDev4) devWarn(`bindChildNode: getter threw: ${err instanceof Error ? err.message : String(err)}`);
+      if (_isDev5) devWarn(`bindChildNode: getter threw: ${err instanceof Error ? err.message : String(err)}`);
       return;
     }
     if (result == null || typeof result === "boolean") {
       for (let i2 = 0; i2 < lastNodes.length; i2++) {
         const node = lastNodes[i2];
+        dispose(node);
         if (node.parentNode) node.parentNode.removeChild(node);
       }
       lastNodes.length = 0;
@@ -1175,7 +1255,7 @@ function bindChildNode(placeholder, getter) {
         if (item == null || typeof item === "boolean") continue;
         const node = item instanceof Node ? item : document.createTextNode(String(item));
         if (seen.has(node)) {
-          if (_isDev4)
+          if (_isDev5)
             devWarn("bindChildNode: duplicate node reference in array \u2014 only the first occurrence is rendered.");
           continue;
         }
@@ -1197,18 +1277,16 @@ function bindChildNode(placeholder, getter) {
     for (let i2 = 0; i2 < lastNodes.length; i2++) {
       const node = lastNodes[i2];
       if (reused?.has(node)) continue;
+      dispose(node);
       if (node.parentNode) node.parentNode.removeChild(node);
     }
-    const anchor = placeholder.nextSibling;
+    let prev = placeholder;
     for (let i2 = 0; i2 < newNodes.length; i2++) {
       const node = newNodes[i2];
-      if (reused?.has(node) && node.parentNode === parent) {
-        if (node.nextSibling !== anchor) {
-          parent.insertBefore(node, anchor);
-        }
-      } else {
-        parent.insertBefore(node, anchor);
+      if (prev.nextSibling !== node) {
+        parent.insertBefore(node, prev.nextSibling);
       }
+      prev = node;
     }
     lastNodes = newNodes;
   }
@@ -1217,70 +1295,6 @@ function bindChildNode(placeholder, getter) {
 
 // src/core/rendering/tagFactory.ts
 init_sanitize();
-
-// src/core/rendering/dispose.ts
-init_dev();
-var elementDisposers = /* @__PURE__ */ new WeakMap();
-var _isDev5 = isDev();
-var activeBindingCount = 0;
-function registerDisposer(node, teardown) {
-  let disposers = elementDisposers.get(node);
-  if (!disposers) {
-    disposers = [];
-    elementDisposers.set(node, disposers);
-  }
-  disposers.push(teardown);
-  if (_isDev5) activeBindingCount++;
-}
-function dispose(node) {
-  const stack = [node];
-  const order = [];
-  while (stack.length > 0) {
-    const current = stack.pop();
-    order.push(current);
-    const children = Array.from(current.childNodes);
-    for (let i2 = 0; i2 < children.length; i2++) {
-      stack.push(children[i2]);
-    }
-  }
-  for (let i2 = order.length - 1; i2 >= 0; i2--) {
-    const current = order[i2];
-    const disposers = elementDisposers.get(current);
-    if (disposers) {
-      const snapshot = disposers.slice();
-      elementDisposers.delete(current);
-      if (_isDev5) activeBindingCount -= snapshot.length;
-      for (const d of snapshot) {
-        try {
-          d();
-        } catch (err) {
-          if (_isDev5 && typeof console !== "undefined") {
-            console.warn("[SibuJS] Disposer threw during cleanup:", err);
-          }
-        }
-      }
-      let extraPasses = 0;
-      while (extraPasses++ < 8) {
-        const added = elementDisposers.get(current);
-        if (!added || added.length === 0) break;
-        const moreSnapshot = added.slice();
-        elementDisposers.delete(current);
-        if (_isDev5) activeBindingCount -= moreSnapshot.length;
-        for (const d of moreSnapshot) {
-          try {
-            d();
-          } catch (err) {
-            if (_isDev5 && typeof console !== "undefined") {
-              console.warn("[SibuJS] Disposer threw during cleanup:", err);
-            }
-          }
-        }
-      }
-    }
-  }
-}
-
-// src/core/rendering/tagFactory.ts
 var SVG_NS = "http://www.w3.org/2000/svg";
 var _isDev6 = isDev();
 var BLOCKED_TAGS = /* @__PURE__ */ new Set(["script", "iframe", "object", "embed", "frame", "frameset"]);
@@ -1515,7 +1529,7 @@ var tagFactory = (tag, ns) => {
           const value = props[key];
           if (value == null) continue;
           const lkey = key.toLowerCase();
-          if (lkey[0] === "o" && lkey[1] === "n") continue;
+          if (isEventHandlerAttr(key)) continue;
           if (typeof value === "function") {
             registerDisposer(el, bindAttribute(el, key, value));
           } else if (typeof value === "boolean") {
@@ -1879,6 +1893,7 @@ function effect(effectFn, options) {
     ctx.fn(ctx.onCleanup);
   };
   const sub2 = (() => {
+    if (ctx.disposed) return;
     if (ctx.running) {
       ctx.rerunPending = true;
       return;
@@ -1918,7 +1933,9 @@ function effect(effectFn, options) {
 init_sanitize();
 function isSafeNavigationTarget(path2) {
   if (path2 === "") return true;
-  return sanitizeUrl(path2) !== "";
+  const normalized = stripControlChars(path2).replace(/\\/g, "/");
+  if (normalized.startsWith("//")) return false;
+  return sanitizeUrl(normalized) !== "";
 }
 var LRUCache = class {
   constructor(maxSize = 100) {
@@ -2055,8 +2072,13 @@ var RouteMatcher = class {
     if (match) {
       const params = {};
       compiled.keys.forEach((key, i2) => {
-        if (match[i2 + 1] !== void 0) {
-          params[key] = decodeURIComponent(match[i2 + 1]);
+        const raw = match[i2 + 1];
+        if (raw !== void 0) {
+          try {
+            params[key] = decodeURIComponent(raw);
+          } catch {
+            params[key] = raw;
+          }
         }
       });
       return { params };
@@ -2107,14 +2129,23 @@ var RouteMatcher = class {
     }
   }
   removeRoute(path2) {
-    this.routeTrie.delete(path2);
-    this.parentChain.delete(path2);
     this.compiledPatterns.clear();
-    for (const [name, route2] of this.namedRoutes) {
-      if (route2.path === path2) {
-        this.namedRoutes.delete(name);
-        break;
-      }
+    const root = this.routeTrie.get(path2);
+    if (!root) return;
+    const removed = /* @__PURE__ */ new Set();
+    const collect = (r) => {
+      removed.add(r);
+      if (r.children) for (const child of r.children) collect(child);
+    };
+    collect(root);
+    for (const [key, route2] of [...this.routeTrie]) {
+      if (removed.has(route2)) this.routeTrie.delete(key);
+    }
+    for (const [key, chain] of [...this.parentChain]) {
+      if (chain.length > 0 && removed.has(chain[chain.length - 1])) this.parentChain.delete(key);
+    }
+    for (const [name, route2] of [...this.namedRoutes]) {
+      if (removed.has(route2)) this.namedRoutes.delete(name);
     }
   }
 };
@@ -2226,42 +2257,61 @@ var GuardManager = class {
     this.afterEachHooks = [];
   }
 };
-var ComponentLoader = class {
+var _ComponentLoader = class _ComponentLoader {
   constructor(cacheSize = 50, retryDelay = 1e3) {
     this.errorCache = /* @__PURE__ */ new Map();
     this.loadingPromises = /* @__PURE__ */ new Map();
+    // Stable per-route-definition id. Caching by the RESOLVED path (e.g.
+    // /users/123) gave the cache one entry per visited URL, so parameterized
+    // routes thrashed/evicted and the component was reloaded every navigation.
+    // Keying by route-definition identity makes the cache effective again.
+    this.routeKeys = /* @__PURE__ */ new WeakMap();
+    this.keyCounter = 0;
     this.componentCache = new LRUCache(cacheSize);
     this.retryDelay = retryDelay;
   }
+  keyFor(route2) {
+    let key = this.routeKeys.get(route2);
+    if (key === void 0) {
+      key = `route#${this.keyCounter++}`;
+      this.routeKeys.set(route2, key);
+    }
+    return key;
+  }
   async loadComponent(route2, routePath) {
     if (!("component" in route2)) {
       throw new Error(`Route ${routePath} does not have a component`);
     }
     const comp = route2.component;
-    const cached = this.componentCache.get(routePath);
+    const cacheKey = this.keyFor(route2);
+    const cached = this.componentCache.get(cacheKey);
     if (cached) return cached;
-    const existingPromise = this.loadingPromises.get(routePath);
+    const existingPromise = this.loadingPromises.get(cacheKey);
     if (existingPromise) return existingPromise;
-    const errorInfo = this.errorCache.get(routePath);
+    const errorInfo = this.errorCache.get(cacheKey);
     if (errorInfo && Date.now() - errorInfo.timestamp < this.retryDelay) {
       throw new Error(`Component loading failed recently, retry in ${this.retryDelay}ms`);
     }
     const loadingPromise = this.doLoadComponent(comp, routePath);
-    this.loadingPromises.set(routePath, loadingPromise);
+    this.loadingPromises.set(cacheKey, loadingPromise);
     try {
       const component = await loadingPromise;
-      this.componentCache.set(routePath, component);
-      this.errorCache.delete(routePath);
+      this.componentCache.set(cacheKey, component);
+      this.errorCache.delete(cacheKey);
       return component;
     } catch (error) {
-      const currentError = this.errorCache.get(routePath) || { timestamp: 0, count: 0 };
-      this.errorCache.set(routePath, {
+      const currentError = this.errorCache.get(cacheKey) || { timestamp: 0, count: 0 };
+      if (!this.errorCache.has(cacheKey) && this.errorCache.size >= _ComponentLoader.MAX_ERROR_ENTRIES) {
+        const oldest = this.errorCache.keys().next().value;
+        if (oldest !== void 0) this.errorCache.delete(oldest);
+      }
+      this.errorCache.set(cacheKey, {
         timestamp: Date.now(),
         count: currentError.count + 1
       });
       throw error;
     } finally {
-      this.loadingPromises.delete(routePath);
+      this.loadingPromises.delete(cacheKey);
     }
   }
   async doLoadComponent(comp, routePath) {
@@ -2315,6 +2365,8 @@ var ComponentLoader = class {
     this.loadingPromises.clear();
   }
 };
+_ComponentLoader.MAX_ERROR_ENTRIES = 256;
+var ComponentLoader = _ComponentLoader;
 var _SibuRouter = class _SibuRouter {
   constructor(routes, options = {}) {
     // Event listeners cleanup
@@ -2380,7 +2432,7 @@ var _SibuRouter = class _SibuRouter {
       return window.location.hash.slice(1) || "/";
     }
     let path2 = window.location.pathname;
-    if (base2 && path2.startsWith(base2)) {
+    if (base2 && (path2 === base2 || path2.startsWith(`${base2}/`))) {
       path2 = path2.slice(base2.length);
     }
     return (path2 || "/") + window.location.search + window.location.hash;
@@ -2513,7 +2565,7 @@ var _SibuRouter = class _SibuRouter {
     }
     if (to.params) {
       for (const [key, value] of Object.entries(to.params)) {
-        path2 = path2.replace(`:${key}`, encodeURIComponent(value));
+        path2 = path2.replace(new RegExp(`:${key}(?=[/?#]|$)`, "g"), encodeURIComponent(value));
       }
     }
     if (to.query && Object.keys(to.query).length > 0) {
@@ -2749,8 +2801,7 @@ function Route() {
   let currentNode = null;
   let loadingNode = null;
   let errorNode = null;
-  let isUpdating = false;
-  let currentPath = "";
+  let navSeq = 0;
   let currentTopRoute = null;
   const cleanupNodes = () => {
     [currentNode, loadingNode, errorNode].forEach((node) => {
@@ -2828,30 +2879,21 @@ function Route() {
     errorNode.appendChild(retryButton);
     anchor.parentNode.insertBefore(errorNode, anchor.nextSibling);
   };
-  let pendingUpdate = false;
   const update = async () => {
     if (!globalRouter) return;
-    if (isUpdating) {
-      pendingUpdate = true;
-      return;
-    }
+    const seq = ++navSeq;
     const route2 = globalRouter.currentRoute;
     try {
       const match = globalRouter["matcher"].match(route2.path);
       if (!match) {
-        currentPath = route2.path;
         currentTopRoute = null;
         cleanupNodes();
         return;
       }
       const routeDef = match.matched[0] || match.route;
       if (routeDef === currentTopRoute && currentNode) {
-        currentPath = route2.path;
         return;
       }
-      isUpdating = true;
-      currentPath = route2.path;
-      currentTopRoute = routeDef;
       if ("redirect" in routeDef) {
         const redirectPath = typeof routeDef.redirect === "function" ? routeDef.redirect(route2) : routeDef.redirect;
         queueMicrotask(() => {
@@ -2868,27 +2910,25 @@ function Route() {
             showLoading();
           }
           const component = await globalRouter.loadComponent(routeDef, route2.path);
+          if (seq !== navSeq) return;
           const node = component();
-          if (node && anchor.parentNode && route2.path === currentPath) {
+          if (node && anchor.parentNode) {
+            currentTopRoute = routeDef;
             cleanupNodes();
             anchor.parentNode.insertBefore(node, anchor.nextSibling);
             currentNode = node;
           }
         } catch (error) {
+          if (seq !== navSeq) return;
           hideLoading();
           console.error("[Route] Component error:", error);
           showError(error instanceof Error ? error : new Error(String(error)), routeDef);
         }
       }
     } catch (error) {
+      if (seq !== navSeq) return;
       console.error("[Route] Update failed:", error);
       showError(error instanceof Error ? error : new Error(String(error)));
-    } finally {
-      isUpdating = false;
-      if (pendingUpdate) {
-        pendingUpdate = false;
-        update();
-      }
     }
   };
   let routeInitialized = false;
@@ -2943,7 +2983,8 @@ function KeepAliveRoute(options) {
       return;
     }
     if (!("component" in routeDef)) return;
-    const cacheKey = route2.path;
+    const queryStr = Object.keys(route2.query).length > 0 ? `?${new URLSearchParams(route2.query).toString()}` : "";
+    const cacheKey = `${route2.path}${queryStr}${route2.hash ? `#${route2.hash}` : ""}`;
     const shouldCache = !includeNames || routeDef.name != null && includeNames.includes(routeDef.name);
     if (cacheKey === currentKey && currentNode) return;
     isUpdating = true;
@@ -3033,7 +3074,8 @@ function RouterLink(props) {
   const { to, replace: replace2 = false, activeClass, exactActiveClass, nodes, target, rel, class: classAttr, ...attrs } = props;
   const baseClass = typeof classAttr === "string" ? classAttr : "";
   const routeGetter = globalRouter.routeGetter;
-  const href = globalRouter["resolvePath"](to);
+  const rawHref = globalRouter["resolvePath"](to);
+  const href = isSafeNavigationTarget(rawHref) ? rawHref : "#";
   const hrefPath = href.split("?")[0].split("#")[0];
   const link2 = document.createElement("a");
   link2.href = href;
@@ -3065,9 +3107,18 @@ function RouterLink(props) {
   });
   registerDisposer(link2, effectCleanup);
   Object.entries(attrs).forEach(([key, value]) => {
-    if (key.startsWith("on") || key === "href") return;
+    const lkey = key.toLowerCase();
+    if (lkey === "href" || lkey[0] === "o" && lkey[1] === "n") return;
     if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
-      link2.setAttribute(key, String(value));
+      const str = String(value);
+      if (isUrlAttribute(lkey)) {
+        const safe = sanitizeUrl(str);
+        if (safe) link2.setAttribute(key, safe);
+      } else if (lkey === "style") {
+        link2.setAttribute(key, sanitizeCSSValue(str));
+      } else {
+        link2.setAttribute(key, str);
+      }
     }
   });
   if (typeof nodes === "string") {
@@ -3224,24 +3275,43 @@ function __removeRouterPagehideHandler() {
 function Outlet() {
   const anchor = document.createComment("route-outlet-nested");
   let currentNode = null;
+  let currentChild = null;
+  let navSeq = 0;
+  const clearCurrent = () => {
+    if (currentNode) {
+      dispose(currentNode);
+      if (currentNode.parentNode) currentNode.parentNode.removeChild(currentNode);
+      currentNode = null;
+    }
+    currentChild = null;
+  };
   const update = async () => {
     if (!globalRouter) return;
+    const seq = ++navSeq;
     const route2 = globalRouter.currentRoute;
-    if (route2.matched.length < 2) return;
+    if (route2.matched.length < 2) {
+      clearCurrent();
+      return;
+    }
     const childRoute = route2.matched[route2.matched.length - 1];
-    if (!childRoute || !("component" in childRoute)) return;
+    if (!childRoute || !("component" in childRoute)) {
+      clearCurrent();
+      return;
+    }
+    if (childRoute === currentChild && currentNode) return;
     try {
       const cacheKey = `${route2.path}\0${childRoute.path}`;
       const component = await globalRouter.loadComponent(childRoute, cacheKey);
+      if (seq !== navSeq) return;
       const node = component();
       if (node && anchor.parentNode) {
-        if (currentNode?.parentNode) {
-          currentNode.parentNode.removeChild(currentNode);
-        }
+        clearCurrent();
         anchor.parentNode.insertBefore(node, anchor.nextSibling);
         currentNode = node;
+        currentChild = childRoute;
       }
     } catch (error) {
+      if (seq !== navSeq) return;
       console.error("[Outlet] Failed to render child route:", error);
     }
   };
@@ -3318,10 +3388,14 @@ function createMemoryRouter(routes, _initialPath = "/") {
 
 // src/plugins/routerSSR.ts
 init_ssr();
-var FORBIDDEN_KEYS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
-function isForbiddenKey(key) {
-  return FORBIDDEN_KEYS.has(key);
+
+// src/utils/guards.ts
+var UNSAFE_KEYS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
+function isUnsafeKey(key) {
+  return UNSAFE_KEYS.has(key);
 }
+
+// src/plugins/routerSSR.ts
 function safeDecode(raw) {
   try {
     return decodeURIComponent(raw);
@@ -3362,7 +3436,7 @@ function parseURL(url) {
         key = safeDecode(pair.slice(0, eqIndex));
         value = safeDecode(pair.slice(eqIndex + 1));
       }
-      if (isForbiddenKey(key)) continue;
+      if (isUnsafeKey(key)) continue;
       query[key] = value;
     }
   }
@@ -3424,7 +3498,7 @@ function matchRoute(path2, routes, parentPath = "", parentChain = []) {
       const params = nullObject();
       for (let i2 = 0; i2 < compiled.keys.length; i2++) {
         const key = compiled.keys[i2];
-        if (isForbiddenKey(key)) continue;
+        if (isUnsafeKey(key)) continue;
         if (match[i2 + 1] !== void 0) {
           params[key] = safeDecode(match[i2 + 1]);
         }
@@ -3521,7 +3595,7 @@ function renderRouteToString(url, routes, _options) {
 function renderRouteToDocument(url, routes, options) {
   const { html: html2, state } = renderRouteToString(url, routes, options);
   const opts = options || {};
-  const metaTags = (opts.meta || []).map((attrs) => {
+  const metaTags = (opts.meta || []).filter((attrs) => !isDangerousMetaRefresh(attrs)).map((attrs) => {
     const pairs = buildSafeAttrString(attrs);
     return pairs ? `<meta ${pairs} />` : "";
   }).filter(Boolean).join("\n    ");
@@ -3601,7 +3675,7 @@ var SAFE_ATTR_NAME2 = /^[A-Za-z_:][-A-Za-z0-9_.:]*$/;
 function isSafeAttrName2(name) {
   return SAFE_ATTR_NAME2.test(name);
 }
-function isEventHandlerAttr3(name) {
+function isEventHandlerAttr2(name) {
   if (name.length < 3) return false;
   const lower = name.toLowerCase();
   return lower[0] === "o" && lower[1] === "n" && lower.charCodeAt(2) >= 97 && lower.charCodeAt(2) <= 122;
@@ -3634,7 +3708,7 @@ function buildSafeAttrString(attrs) {
   for (const rawKey of Object.keys(attrs)) {
     if (!Object.hasOwn(attrs, rawKey)) continue;
     if (!isSafeAttrName2(rawKey)) continue;
-    if (isEventHandlerAttr3(rawKey)) continue;
+    if (isEventHandlerAttr2(rawKey)) continue;
     const lowerKey = rawKey.toLowerCase();
     let value = String(attrs[rawKey]);
     if (URL_ATTRS2.has(lowerKey)) {