sibujs 3.2.1 → 3.3.0

package/dist/index.cjs

@@ -234,7 +234,13 @@ module.exports = __toCommonJS(index_exports);
 
 // src/core/dev.ts
 function isDev() {
-  return typeof globalThis.__SIBU_DEV__ !== "undefined" ? !!globalThis.__SIBU_DEV__ : typeof __SIBU_DEV__ !== "undefined" ? __SIBU_DEV__ : typeof process !== "undefined" && process.env?.NODE_ENV !== "production";
+  return typeof globalThis.__SIBU_DEV__ !== "undefined" ? !!globalThis.__SIBU_DEV__ : (
+    // The bare `__SIBU_DEV__` is a bundler define that only exists in
+    // production builds; under the test runner it is always undefined, so
+    // this branch is unreachable here.
+    /* v8 ignore next 2 */
+    typeof __SIBU_DEV__ !== "undefined" ? __SIBU_DEV__ : typeof process !== "undefined" && process.env?.NODE_ENV !== "production"
+  );
 }
 var _isDev = isDev();
 function devAssert(condition, message) {
@@ -291,7 +297,9 @@ function sanitizeSrcset(value) {
   }
   return out.join(", ");
 }
+var CSS_DANGER_GATE = /[(:@\\]/;
 function sanitizeCSSValue(value) {
+  if (!CSS_DANGER_GATE.test(value)) return value;
   const decoded = value.replace(/\\([0-9a-fA-F]{1,6})\s?/g, (_m, hex) => {
     const code2 = Number.parseInt(hex, 16);
     if (!Number.isFinite(code2) || code2 < 0 || code2 > 1114111) return "";
@@ -324,6 +332,12 @@ var URL_ATTRIBUTES = /* @__PURE__ */ new Set([
 function isUrlAttribute(attr) {
   return URL_ATTRIBUTES.has(attr.toLowerCase());
 }
+function sanitizeAttributeString(attr, value) {
+  const lower = attr.toLowerCase();
+  if (lower === "srcset") return sanitizeSrcset(value);
+  if (URL_ATTRIBUTES.has(lower)) return sanitizeUrl(value);
+  return value;
+}
 
 // src/reactivity/track.ts
 var _isDev2 = isDev();
@@ -747,7 +761,7 @@ function bindAttribute(el, attr, getter) {
     if ((attr === "value" || attr === "checked") && attr in el) {
       setProp(el, attr, attr === "checked" ? Boolean(value) : str);
     } else {
-      el.setAttribute(attr, isUrlAttribute(attr) ? sanitizeUrl(str) : str);
+      el.setAttribute(attr, sanitizeAttributeString(attr, str));
     }
   }
   return reactiveBinding(commit);
@@ -777,7 +791,7 @@ function bindDynamic(el, nameGetter, valueGetter) {
     if ((name === "value" || name === "checked") && name in el) {
       setProp(el, name, name === "checked" ? Boolean(value) : str);
     } else {
-      el.setAttribute(name, isUrlAttribute(name) ? sanitizeUrl(str) : str);
+      el.setAttribute(name, sanitizeAttributeString(name, str));
     }
     prevName = name;
   }
@@ -937,11 +951,8 @@ function bindChildNode(placeholder, getter) {
 var SVG_NS = "http://www.w3.org/2000/svg";
 var _isDev6 = isDev();
 var BLOCKED_TAGS = /* @__PURE__ */ new Set(["script", "iframe", "object", "embed", "frame", "frameset"]);
-function validateTagName(tag) {
-  const lower = tag.toLowerCase();
-  if (BLOCKED_TAGS.has(lower)) {
-    throw new Error(`tagFactory: refusing to create <${tag}> \u2014 tag is blocked for security reasons.`);
-  }
+function isBlockedTag(tag) {
+  return BLOCKED_TAGS.has(tag.toLowerCase());
 }
 var CLOBBER_RISKY_IDS = /* @__PURE__ */ new Set([
   "config",
@@ -1096,8 +1107,11 @@ function appendChildren(el, nodes) {
   }
 }
 var tagFactory = (tag, ns) => {
+  const blocked = isBlockedTag(tag);
   return (first, second) => {
-    validateTagName(tag);
+    if (blocked) {
+      throw new Error(`tagFactory: refusing to create <${tag}> \u2014 tag is blocked for security reasons.`);
+    }
     const el = ns ? document.createElementNS(ns, tag) : document.createElement(tag);
     if (first === void 0) return el;
     if (typeof first === "string") {
@@ -1167,7 +1181,6 @@ var tagFactory = (tag, ns) => {
         default: {
           const value = props[key];
           if (value == null) continue;
-          const lkey = key.toLowerCase();
           if (isEventHandlerAttr(key)) continue;
           if (typeof value === "function") {
             registerDisposer(el, bindAttribute(el, key, value));
@@ -1180,14 +1193,7 @@ var tagFactory = (tag, ns) => {
               el.removeAttribute(key);
             }
           } else {
-            const str = String(value);
-            if (lkey === "srcset") {
-              el.setAttribute(key, sanitizeSrcset(str));
-            } else if (isUrlAttribute(lkey)) {
-              el.setAttribute(key, sanitizeUrl(str));
-            } else {
-              el.setAttribute(key, str);
-            }
+            el.setAttribute(key, sanitizeAttributeString(key, String(value)));
           }
         }
       }
@@ -2777,8 +2783,14 @@ function watch(getter, callback) {
       return;
     }
     if (!Object.is(newValue, oldValue)) {
-      callback(newValue, oldValue);
+      const prev = oldValue;
       oldValue = newValue;
+      suspendTracking();
+      try {
+        callback(newValue, prev);
+      } finally {
+        resumeTracking();
+      }
     }
   };
   const teardown = track(subscriber);
@@ -2844,7 +2856,12 @@ function store(initialState) {
         first = false;
         return;
       }
-      callback(snapshot);
+      suspendTracking();
+      try {
+        callback(snapshot);
+      } finally {
+        resumeTracking();
+      }
     });
   };
   const subscribeKey = (key, callback) => {
@@ -2860,7 +2877,12 @@ function store(initialState) {
       if (!Object.is(current, prev)) {
         const oldPrev = prev;
         prev = current;
-        callback(current, oldPrev);
+        suspendTracking();
+        try {
+          callback(current, oldPrev);
+        } finally {
+          resumeTracking();
+        }
       }
     });
   };
@@ -4410,7 +4432,12 @@ function ErrorBoundary(optionsOrChildren, maybeChildren) {
     } else if (collected.length > 1) {
       const Agg = globalThis.AggregateError;
       handleError(
-        Agg ? new Agg(collected, `${collected.length} pre-mount errors caught by ErrorBoundary`) : new Error(collected.map((e) => e.message).join("; "))
+        Agg ? new Agg(collected, `${collected.length} pre-mount errors caught by ErrorBoundary`) : (
+          // AggregateError is ES2021 and present in every supported runtime
+          // (matches the browserslist targets), so this fallback is defensive.
+          /* v8 ignore next */
+          new Error(collected.map((e) => e.message).join("; "))
+        )
       );
     }
     return void 0;

package/dist/index.d.cts

@@ -442,6 +442,15 @@ declare function show<T extends Element>(condition: () => boolean, element: T):
  *   () => div("Please log in")
  * );
  * ```
+ *
+ * GOTCHA — branch factories rebuild only when `condition` changes. A signal
+ * read *eagerly* inside a branch is captured once and never updates:
+ * ```ts
+ * when(() => show(), () => div(`Count: ${count()}`));        // ✗ frozen at first count
+ * when(() => show(), () => div(() => `Count: ${count()}`));  // ✓ reactive text child
+ * ```
+ * Drive per-branch reactivity with a nested getter (or a reactive child), not a
+ * bare read in the factory body.
  */
 declare function when<T>(condition: () => T, thenBranch: () => NodeChild, elseBranch?: () => NodeChild): Comment;
 /**
@@ -465,6 +474,10 @@ declare function when<T>(condition: () => T, thenBranch: () => NodeChild, elseBr
  *   () => div("Unknown status")
  * );
  * ```
+ *
+ * GOTCHA — like `when()`, a case factory rebuilds only when the matched key
+ * changes. A signal read eagerly inside a case is frozen at build time; use a
+ * nested getter (`() => div(() => label())`) for reactive per-case content.
  */
 declare function match<T extends string | number>(value: () => T, cases: Record<string, () => NodeChild>, fallback?: () => NodeChild): Comment;
 

package/dist/index.d.ts

@@ -442,6 +442,15 @@ declare function show<T extends Element>(condition: () => boolean, element: T):
  *   () => div("Please log in")
  * );
  * ```
+ *
+ * GOTCHA — branch factories rebuild only when `condition` changes. A signal
+ * read *eagerly* inside a branch is captured once and never updates:
+ * ```ts
+ * when(() => show(), () => div(`Count: ${count()}`));        // ✗ frozen at first count
+ * when(() => show(), () => div(() => `Count: ${count()}`));  // ✓ reactive text child
+ * ```
+ * Drive per-branch reactivity with a nested getter (or a reactive child), not a
+ * bare read in the factory body.
  */
 declare function when<T>(condition: () => T, thenBranch: () => NodeChild, elseBranch?: () => NodeChild): Comment;
 /**
@@ -465,6 +474,10 @@ declare function when<T>(condition: () => T, thenBranch: () => NodeChild, elseBr
  *   () => div("Unknown status")
  * );
  * ```
+ *
+ * GOTCHA — like `when()`, a case factory rebuilds only when the matched key
+ * changes. A signal read eagerly inside a case is frozen at build time; use a
+ * nested getter (`() => div(() => label())`) for reactive per-case content.
  */
 declare function match<T extends string | number>(value: () => T, cases: Record<string, () => NodeChild>, fallback?: () => NodeChild): Comment;
 

package/dist/index.js

@@ -44,7 +44,7 @@ import {
   unregisterComponent,
   when,
   writable
-} from "./chunk-V2MTG5FT.js";
+} from "./chunk-BEIKESVL.js";
 import {
   __resetIdCounter,
   createId
@@ -186,36 +186,36 @@ import {
   use,
   var_,
   video
-} from "./chunk-5N74TKLD.js";
+} from "./chunk-24DBWDTK.js";
 import {
   watch
-} from "./chunk-H6PCHJZQ.js";
+} from "./chunk-F4UM7QBJ.js";
 import {
   trustHTML
-} from "./chunk-HXMS4SNP.js";
+} from "./chunk-R3QEDXFS.js";
 import {
   context
-} from "./chunk-YFDGQWDA.js";
+} from "./chunk-JBXNCZSC.js";
 import {
   SVG_NS,
   tagFactory
-} from "./chunk-X67UYC74.js";
+} from "./chunk-NUWKIEHE.js";
 import {
   bindDynamic
-} from "./chunk-RLUJL2MV.js";
+} from "./chunk-Q2ERM6NT.js";
 import {
   derived
-} from "./chunk-JYXOEYI4.js";
+} from "./chunk-CVMMULHO.js";
 import {
   checkLeaks,
   dispose,
   registerDisposer
-} from "./chunk-2UPRY23K.js";
-import "./chunk-HMJFCBRR.js";
+} from "./chunk-5VGSK6D2.js";
+import "./chunk-L3GAGWCC.js";
 import {
   effect,
   on
-} from "./chunk-FDY42FIU.js";
+} from "./chunk-7JHWAGRQ.js";
 import {
   disableSSR,
   enableSSR,
@@ -230,13 +230,13 @@ import {
   enqueueBatchedSignal,
   isBatching,
   signal
-} from "./chunk-C427DVQF.js";
+} from "./chunk-5K72I3UQ.js";
 import {
   retrack,
   setMaxDrainIterations,
   untracked
-} from "./chunk-Z2FWAE4B.js";
-import "./chunk-LMLD24FC.js";
+} from "./chunk-X3NHE2DK.js";
+import "./chunk-COY6PUD2.js";
 export {
   DynamicComponent,
   ErrorBoundary,

package/dist/motion.cjs

@@ -288,7 +288,13 @@ async function sequence(steps) {
 
 // src/core/dev.ts
 function isDev() {
-  return typeof globalThis.__SIBU_DEV__ !== "undefined" ? !!globalThis.__SIBU_DEV__ : typeof __SIBU_DEV__ !== "undefined" ? __SIBU_DEV__ : typeof process !== "undefined" && process.env?.NODE_ENV !== "production";
+  return typeof globalThis.__SIBU_DEV__ !== "undefined" ? !!globalThis.__SIBU_DEV__ : (
+    // The bare `__SIBU_DEV__` is a bundler define that only exists in
+    // production builds; under the test runner it is always undefined, so
+    // this branch is unreachable here.
+    /* v8 ignore next 2 */
+    typeof __SIBU_DEV__ !== "undefined" ? __SIBU_DEV__ : typeof process !== "undefined" && process.env?.NODE_ENV !== "production"
+  );
 }
 var _isDev = isDev();
 function devWarn(message) {

package/dist/motion.js

@@ -19,10 +19,10 @@ import {
   stagger,
   transition,
   viewTransition
-} from "./chunk-FOI23UJL.js";
-import "./chunk-C427DVQF.js";
-import "./chunk-Z2FWAE4B.js";
-import "./chunk-LMLD24FC.js";
+} from "./chunk-XQ7XSGYP.js";
+import "./chunk-5K72I3UQ.js";
+import "./chunk-X3NHE2DK.js";
+import "./chunk-COY6PUD2.js";
 export {
   TransitionGroup,
   animate,

package/dist/patterns.cjs

@@ -45,7 +45,13 @@ module.exports = __toCommonJS(patterns_exports);
 
 // src/core/dev.ts
 function isDev() {
-  return typeof globalThis.__SIBU_DEV__ !== "undefined" ? !!globalThis.__SIBU_DEV__ : typeof __SIBU_DEV__ !== "undefined" ? __SIBU_DEV__ : typeof process !== "undefined" && process.env?.NODE_ENV !== "production";
+  return typeof globalThis.__SIBU_DEV__ !== "undefined" ? !!globalThis.__SIBU_DEV__ : (
+    // The bare `__SIBU_DEV__` is a bundler define that only exists in
+    // production builds; under the test runner it is always undefined, so
+    // this branch is unreachable here.
+    /* v8 ignore next 2 */
+    typeof __SIBU_DEV__ !== "undefined" ? __SIBU_DEV__ : typeof process !== "undefined" && process.env?.NODE_ENV !== "production"
+  );
 }
 var _isDev = isDev();
 function devAssert(condition, message) {

package/dist/patterns.js

@@ -5,7 +5,7 @@ import {
   optimisticList,
   persisted,
   timeline
-} from "./chunk-NFYWLRUO.js";
+} from "./chunk-S4FHR5ZZ.js";
 import {
   RenderProp,
   assertType,
@@ -23,12 +23,12 @@ import {
   withWrapper
 } from "./chunk-VJE6DDYM.js";
 import "./chunk-H3SRKIYX.js";
-import "./chunk-JYXOEYI4.js";
-import "./chunk-FDY42FIU.js";
+import "./chunk-CVMMULHO.js";
+import "./chunk-7JHWAGRQ.js";
 import "./chunk-GOJMFRBL.js";
-import "./chunk-C427DVQF.js";
-import "./chunk-Z2FWAE4B.js";
-import "./chunk-LMLD24FC.js";
+import "./chunk-5K72I3UQ.js";
+import "./chunk-X3NHE2DK.js";
+import "./chunk-COY6PUD2.js";
 export {
   RenderProp,
   assertType,

package/dist/performance.cjs

@@ -218,7 +218,13 @@ async function processInChunks(items, processor, chunkSize = 50) {
 
 // src/core/dev.ts
 function isDev() {
-  return typeof globalThis.__SIBU_DEV__ !== "undefined" ? !!globalThis.__SIBU_DEV__ : typeof __SIBU_DEV__ !== "undefined" ? __SIBU_DEV__ : typeof process !== "undefined" && process.env?.NODE_ENV !== "production";
+  return typeof globalThis.__SIBU_DEV__ !== "undefined" ? !!globalThis.__SIBU_DEV__ : (
+    // The bare `__SIBU_DEV__` is a bundler define that only exists in
+    // production builds; under the test runner it is always undefined, so
+    // this branch is unreachable here.
+    /* v8 ignore next 2 */
+    typeof __SIBU_DEV__ !== "undefined" ? __SIBU_DEV__ : typeof process !== "undefined" && process.env?.NODE_ENV !== "production"
+  );
 }
 var _isDev = isDev();
 function devAssert(condition, message) {
@@ -778,6 +784,31 @@ function uniqueId(suffix) {
   return suffix ? `${id}-${suffix}` : id;
 }
 
+// src/utils/sanitize.ts
+function stripControlChars(value) {
+  return value.replace(/[\x00-\x20\x7f-\x9f]+/g, "");
+}
+var SAFE_URL_PROTOCOLS = ["http:", "https:", "mailto:", "tel:", "ftp:"];
+function sanitizeUrl(url) {
+  const trimmed = stripControlChars(url).trim();
+  if (!trimmed) return "";
+  const lower = trimmed.toLowerCase();
+  let schemeEnd = -1;
+  for (let i = 0; i < lower.length; i++) {
+    const ch = lower.charCodeAt(i);
+    if (ch === 58) {
+      schemeEnd = i;
+      break;
+    }
+    if (ch === 47 || ch === 63 || ch === 35) break;
+  }
+  if (schemeEnd === -1) return trimmed;
+  const scheme = lower.slice(0, schemeEnd + 1);
+  if (!/^[a-z][a-z0-9+.-]*:$/.test(scheme)) return trimmed;
+  if (SAFE_URL_PROTOCOLS.indexOf(scheme) === -1) return "";
+  return trimmed;
+}
+
 // src/performance/domRecycler.ts
 var _isDev4 = isDev();
 var DOMPool = class {
@@ -853,11 +884,13 @@ function getDOMPool() {
 }
 var preloadedResources = /* @__PURE__ */ new Set();
 function preloadResource(url, type = "fetch") {
-  if (preloadedResources.has(url)) return;
-  preloadedResources.add(url);
+  const safe = sanitizeUrl(url);
+  if (!safe) return;
+  if (preloadedResources.has(safe)) return;
+  preloadedResources.add(safe);
   const link = document.createElement("link");
   link.rel = "preload";
-  link.href = url;
+  link.href = safe;
   switch (type) {
     case "script":
       link.setAttribute("as", "script");
@@ -875,11 +908,13 @@ function preloadResource(url, type = "fetch") {
   document.head.appendChild(link);
 }
 function prefetch(url) {
-  if (preloadedResources.has(url)) return;
-  preloadedResources.add(url);
+  const safe = sanitizeUrl(url);
+  if (!safe) return;
+  if (preloadedResources.has(safe)) return;
+  preloadedResources.add(safe);
   const link = document.createElement("link");
   link.rel = "prefetch";
-  link.href = url;
+  link.href = safe;
   document.head.appendChild(link);
 }
 function preloadImage(src) {
@@ -1307,11 +1342,14 @@ function lazyChunk(id, loader, registry, fallback) {
 }
 function preloadModule(url) {
   if (typeof document === "undefined") return;
-  const existing = document.querySelector(`link[href="${url}"][rel="modulepreload"]`);
+  const safe = sanitizeUrl(url);
+  if (!safe) return;
+  const safeHref = typeof CSS !== "undefined" && typeof CSS.escape === "function" ? CSS.escape(safe) : safe.replace(/["\\]/g, "\\$&");
+  const existing = document.querySelector(`link[rel="modulepreload"][href="${safeHref}"]`);
   if (existing) return;
   const link = document.createElement("link");
   link.rel = "modulepreload";
-  link.href = url;
+  link.href = safe;
   document.head.appendChild(link);
 }
 function preloadModules(urls) {

package/dist/performance.js

@@ -33,17 +33,17 @@ import {
   transitionState,
   uniqueId,
   yieldToMain
-} from "./chunk-4JCAUOLN.js";
+} from "./chunk-WVJJUFPC.js";
 import {
   trustHTML
-} from "./chunk-HXMS4SNP.js";
-import "./chunk-2UPRY23K.js";
-import "./chunk-HMJFCBRR.js";
-import "./chunk-FDY42FIU.js";
+} from "./chunk-R3QEDXFS.js";
+import "./chunk-5VGSK6D2.js";
+import "./chunk-L3GAGWCC.js";
+import "./chunk-7JHWAGRQ.js";
 import "./chunk-GOJMFRBL.js";
-import "./chunk-C427DVQF.js";
-import "./chunk-Z2FWAE4B.js";
-import "./chunk-LMLD24FC.js";
+import "./chunk-5K72I3UQ.js";
+import "./chunk-X3NHE2DK.js";
+import "./chunk-COY6PUD2.js";
 export {
   DOMPool,
   Features,

package/dist/plugins.cjs

@@ -22,7 +22,13 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 
 // src/core/dev.ts
 function isDev() {
-  return typeof globalThis.__SIBU_DEV__ !== "undefined" ? !!globalThis.__SIBU_DEV__ : typeof __SIBU_DEV__ !== "undefined" ? __SIBU_DEV__ : typeof process !== "undefined" && process.env?.NODE_ENV !== "production";
+  return typeof globalThis.__SIBU_DEV__ !== "undefined" ? !!globalThis.__SIBU_DEV__ : (
+    // The bare `__SIBU_DEV__` is a bundler define that only exists in
+    // production builds; under the test runner it is always undefined, so
+    // this branch is unreachable here.
+    /* v8 ignore next 2 */
+    typeof __SIBU_DEV__ !== "undefined" ? __SIBU_DEV__ : typeof process !== "undefined" && process.env?.NODE_ENV !== "production"
+  );
 }
 function devAssert(condition, message) {
   if (_isDev && !condition) {
@@ -85,6 +91,7 @@ function sanitizeSrcset(value) {
   return out.join(", ");
 }
 function sanitizeCSSValue(value) {
+  if (!CSS_DANGER_GATE.test(value)) return value;
   const decoded = value.replace(/\\([0-9a-fA-F]{1,6})\s?/g, (_m, hex) => {
     const code2 = Number.parseInt(hex, 16);
     if (!Number.isFinite(code2) || code2 < 0 || code2 > 1114111) return "";
@@ -103,11 +110,18 @@ function sanitizeCSSValue(value) {
 function isUrlAttribute(attr) {
   return URL_ATTRIBUTES.has(attr.toLowerCase());
 }
-var SAFE_URL_PROTOCOLS, URL_ATTRIBUTES;
+function sanitizeAttributeString(attr, value) {
+  const lower = attr.toLowerCase();
+  if (lower === "srcset") return sanitizeSrcset(value);
+  if (URL_ATTRIBUTES.has(lower)) return sanitizeUrl(value);
+  return value;
+}
+var SAFE_URL_PROTOCOLS, CSS_DANGER_GATE, URL_ATTRIBUTES;
 var init_sanitize = __esm({
   "src/utils/sanitize.ts"() {
     "use strict";
     SAFE_URL_PROTOCOLS = ["http:", "https:", "mailto:", "tel:", "ftp:"];
+    CSS_DANGER_GATE = /[(:@\\]/;
     URL_ATTRIBUTES = /* @__PURE__ */ new Set([
       "href",
       "xlink:href",
@@ -1149,7 +1163,7 @@ function bindAttribute(el, attr, getter) {
     if ((attr === "value" || attr === "checked") && attr in el) {
       setProp(el, attr, attr === "checked" ? Boolean(value) : str);
     } else {
-      el.setAttribute(attr, isUrlAttribute(attr) ? sanitizeUrl(str) : str);
+      el.setAttribute(attr, sanitizeAttributeString(attr, str));
     }
   }
   return reactiveBinding(commit);
@@ -1298,11 +1312,8 @@ init_sanitize();
 var SVG_NS = "http://www.w3.org/2000/svg";
 var _isDev6 = isDev();
 var BLOCKED_TAGS = /* @__PURE__ */ new Set(["script", "iframe", "object", "embed", "frame", "frameset"]);
-function validateTagName(tag) {
-  const lower = tag.toLowerCase();
-  if (BLOCKED_TAGS.has(lower)) {
-    throw new Error(`tagFactory: refusing to create <${tag}> \u2014 tag is blocked for security reasons.`);
-  }
+function isBlockedTag(tag) {
+  return BLOCKED_TAGS.has(tag.toLowerCase());
 }
 var CLOBBER_RISKY_IDS = /* @__PURE__ */ new Set([
   "config",
@@ -1457,8 +1468,11 @@ function appendChildren(el, nodes) {
   }
 }
 var tagFactory = (tag, ns) => {
+  const blocked = isBlockedTag(tag);
   return (first, second) => {
-    validateTagName(tag);
+    if (blocked) {
+      throw new Error(`tagFactory: refusing to create <${tag}> \u2014 tag is blocked for security reasons.`);
+    }
     const el = ns ? document.createElementNS(ns, tag) : document.createElement(tag);
     if (first === void 0) return el;
     if (typeof first === "string") {
@@ -1528,7 +1542,6 @@ var tagFactory = (tag, ns) => {
         default: {
           const value = props[key];
           if (value == null) continue;
-          const lkey = key.toLowerCase();
           if (isEventHandlerAttr(key)) continue;
           if (typeof value === "function") {
             registerDisposer(el, bindAttribute(el, key, value));
@@ -1541,14 +1554,7 @@ var tagFactory = (tag, ns) => {
               el.removeAttribute(key);
             }
           } else {
-            const str = String(value);
-            if (lkey === "srcset") {
-              el.setAttribute(key, sanitizeSrcset(str));
-            } else if (isUrlAttribute(lkey)) {
-              el.setAttribute(key, sanitizeUrl(str));
-            } else {
-              el.setAttribute(key, str);
-            }
+            el.setAttribute(key, sanitizeAttributeString(key, String(value)));
           }
         }
       }

package/dist/plugins.js

@@ -18,7 +18,7 @@ import {
   preloadCritical,
   prerenderRoutes,
   satisfies
-} from "./chunk-RDRSWYNP.js";
+} from "./chunk-ZUVLC7TM.js";
 import {
   isUnsafeKey
 } from "./chunk-H3SRKIYX.js";
@@ -35,35 +35,35 @@ import {
 } from "./chunk-3JHCYHWN.js";
 import {
   span
-} from "./chunk-5N74TKLD.js";
+} from "./chunk-24DBWDTK.js";
 import {
   escapeScriptJson,
   isDangerousMetaRefresh,
   renderToString
-} from "./chunk-HXMS4SNP.js";
-import "./chunk-X67UYC74.js";
-import "./chunk-RLUJL2MV.js";
+} from "./chunk-R3QEDXFS.js";
+import "./chunk-NUWKIEHE.js";
+import "./chunk-Q2ERM6NT.js";
 import {
   dispose,
   registerDisposer
-} from "./chunk-2UPRY23K.js";
+} from "./chunk-5VGSK6D2.js";
 import {
   isUrlAttribute,
   sanitizeCSSValue,
   sanitizeUrl,
   stripControlChars
-} from "./chunk-HMJFCBRR.js";
+} from "./chunk-L3GAGWCC.js";
 import {
   effect
-} from "./chunk-FDY42FIU.js";
+} from "./chunk-7JHWAGRQ.js";
 import "./chunk-GOJMFRBL.js";
 import {
   signal
-} from "./chunk-C427DVQF.js";
+} from "./chunk-5K72I3UQ.js";
 import {
   track
-} from "./chunk-Z2FWAE4B.js";
-import "./chunk-LMLD24FC.js";
+} from "./chunk-X3NHE2DK.js";
+import "./chunk-COY6PUD2.js";
 
 // src/plugins/i18n.ts
 var [currentLocale, setLocaleInternal] = signal("en");
@@ -1800,7 +1800,7 @@ function hydrateRouter(routes, options) {
   if (container && serverState.path) {
     const resolved = resolveServerRoute(serverState.path, routes);
     if (resolved.component) {
-      import("./ssr-2QDQ27EV.js").then(({ hydrate }) => {
+      import("./ssr-6D67RAVB.js").then(({ hydrate }) => {
         if (resolved.component) {
           hydrate(resolved.component, container);
         }

package/dist/{ssr-2QDQ27EV.js → ssr-6D67RAVB.js}

@@ -17,10 +17,10 @@ import {
   ssrSuspense,
   suspenseSwapScript,
   trustHTML
-} from "./chunk-HXMS4SNP.js";
-import "./chunk-HMJFCBRR.js";
+} from "./chunk-R3QEDXFS.js";
+import "./chunk-L3GAGWCC.js";
 import "./chunk-GOJMFRBL.js";
-import "./chunk-LMLD24FC.js";
+import "./chunk-COY6PUD2.js";
 export {
   collectStream,
   deserializeState,