svelteplot 0.14.2-pr-555.6 → 0.14.2-pr-555.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/dist/helpers/mergeDeep.js +5 -2
  2. package/dist/marks/helpers/Anchor.svelte +23 -1
  3. package/package.json +1 -1
package/dist/helpers/mergeDeep.js CHANGED
@@ -4,13 +4,16 @@ function isObject(item) {
4
4
  export default function mergeDeep(target, ...sources) {
5
5
  for (const source of sources) {
6
6
  if (isObject(target) && isObject(source)) {
7
- for (const key in source) {
7
+ for (const key of Object.keys(source)) {
8
+ if (key === '__proto__' || key === 'prototype' || key === 'constructor') {
9
+ continue;
10
+ }
8
11
  if (isObject(source[key])) {
9
12
  if (!target[key]) {
10
13
  Object.assign(target, { [key]: {} });
11
14
  }
12
15
  else {
13
- target[key] = Object.assign({}, target[key]);
16
+ Object.assign(target, { [key]: Object.assign({}, target[key]) });
14
17
  }
15
18
  mergeDeep(target[key], source[key]);
16
19
  }
package/dist/marks/helpers/Anchor.svelte CHANGED
@@ -32,7 +32,29 @@
32
32
 
33
33
  let { datum = {} as Datum, options = {}, children }: AnchorProps = $props();
34
34
 
35
- const href = $derived(resolveProp(options.href, datum, null));
35
+ const sanitizeHref = (value: unknown): string | null => {
36
+ if (typeof value !== 'string') return null;
37
+ const href = value.trim();
38
+ if (!href) return null;
39
+ if (
40
+ href.startsWith('#') ||
41
+ href.startsWith('/') ||
42
+ href.startsWith('./') ||
43
+ href.startsWith('../') ||
44
+ href.startsWith('?')
45
+ ) {
46
+ return href;
47
+ }
48
+ const schemeMatch = href.match(/^([a-zA-Z][a-zA-Z\d+.-]*):/);
49
+ if (!schemeMatch) return href;
50
+ const protocol = schemeMatch[1].toLowerCase();
51
+ if (protocol === 'http' || protocol === 'https' || protocol === 'mailto') {
52
+ return href;
53
+ }
54
+ return null;
55
+ };
56
+
57
+ const href = $derived(sanitizeHref(resolveProp(options.href, datum, null)));
36
58
  const target = $derived(resolveProp(options.target, datum, null));
37
59
  const rel = $derived(resolveProp(options.rel, datum, null));
38
60
  const type = $derived(resolveProp(options.type, datum, null));
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "svelteplot",
3
- "version": "0.14.2-pr-555.6",
3
+ "version": "0.14.2-pr-555.8",
4
4
  "description": "A Svelte-native data visualization framework based on the layered grammar of graphics principles.",
5
5
  "keywords": [
6
6
  "svelte",