tldts 7.2.1 → 7.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/index.js +110 -6
- package/dist/cjs/index.js.map +1 -1
- package/dist/index.cjs.min.js +1 -1
- package/dist/index.cjs.min.js.map +1 -1
- package/dist/index.esm.min.js +1 -1
- package/dist/index.esm.min.js.map +1 -1
- package/dist/index.umd.min.js +1 -1
- package/dist/index.umd.min.js.map +1 -1
- package/package.json +4 -4
package/dist/cjs/index.js
CHANGED
|
@@ -98,6 +98,34 @@ function getDomainWithoutSuffix$1(domain, suffix) {
|
|
|
98
98
|
* re-parse) on the rare input that actually contains one.
|
|
99
99
|
*/
|
|
100
100
|
const CONTROL_CHARS = /[\t\n\r]/g;
|
|
101
|
+
// Set by `extractHostname` (a module-scope flag, read synchronously by
|
|
102
|
+
// `parseImpl` right after the call — same pattern as the reused RESULT object).
|
|
103
|
+
// `true` ONLY when extraction validated the returned host inline (a confirmed-
|
|
104
|
+
// valid, "simple" authority) so `parseImpl` can skip the separate
|
|
105
|
+
// `isValidHostname` pass. `false` in every other case (validation disabled, a
|
|
106
|
+
// complex authority — userinfo/port/brackets/trailing-dot/control — an invalid
|
|
107
|
+
// host, or a non-main return path); `parseImpl` then validates as usual. The
|
|
108
|
+
// fast path can only ever SKIP a redundant scan for hosts already known valid,
|
|
109
|
+
// never accept an invalid one.
|
|
110
|
+
let extractedHostnameValidated = false;
|
|
111
|
+
/**
|
|
112
|
+
* True if char `code` is a valid hostname character. This is the per-char half
|
|
113
|
+
* of `is-valid.ts`'s `isValidAscii` (a-z, 0-9, > U+007F) PLUS three additions:
|
|
114
|
+
* A-Z (the host is lowercased before validation, so uppercase ≡ a valid
|
|
115
|
+
* lowercase letter) and '-' / '_' (valid inside a label). KEEP IN SYNC with
|
|
116
|
+
* `is-valid.ts`: these rules are deliberately duplicated to validate during
|
|
117
|
+
* extraction, so any change to the accepted character set there must be
|
|
118
|
+
* mirrored here (and vice-versa).
|
|
119
|
+
*/
|
|
120
|
+
function isValidHostnameChar(code) {
|
|
121
|
+
return ((code >= 97 && code <= 122) || // a-z
|
|
122
|
+
(code >= 48 && code <= 57) || // 0-9
|
|
123
|
+
code > 127 || // non-ASCII (accepted, not punycode-checked)
|
|
124
|
+
(code >= 65 && code <= 90) || // A-Z (becomes valid once lowercased)
|
|
125
|
+
code === 45 || // '-'
|
|
126
|
+
code === 95 // '_'
|
|
127
|
+
);
|
|
128
|
+
}
|
|
101
129
|
/**
|
|
102
130
|
* Classify scheme `url.slice(schemeStart, colonIndex)` as a WHATWG special
|
|
103
131
|
* scheme without allocating a substring (case-insensitive via `| 32`).
|
|
@@ -154,12 +182,16 @@ function getSpecialScheme(url, schemeStart, colonIndex) {
|
|
|
154
182
|
* @param urlIsValidHostname - when true, `url` is already a valid hostname and is
|
|
155
183
|
* returned by the same reference (factory.ts skips re-validation on that
|
|
156
184
|
* identity), keeping the common path allocation-free.
|
|
185
|
+
* @param validate - when true, validate the host inline during the authority
|
|
186
|
+
* scan and publish the verdict via `extractedHostnameValidated` so `parseImpl`
|
|
187
|
+
* can skip the redundant `isValidHostname` pass for simple authorities.
|
|
157
188
|
*/
|
|
158
|
-
function extractHostname(url, urlIsValidHostname) {
|
|
189
|
+
function extractHostname(url, urlIsValidHostname, validate = false) {
|
|
159
190
|
let start = 0;
|
|
160
191
|
let end = url.length;
|
|
161
192
|
let hasUpper = false;
|
|
162
193
|
let isSpecial = false;
|
|
194
|
+
extractedHostnameValidated = false;
|
|
163
195
|
if (!urlIsValidHostname) {
|
|
164
196
|
// Data URLs never carry a host (and may be huge — short-circuit them).
|
|
165
197
|
if (url.startsWith('data:')) {
|
|
@@ -221,7 +253,7 @@ function extractHostname(url, urlIsValidHostname) {
|
|
|
221
253
|
)) {
|
|
222
254
|
const raw = url.charCodeAt(i);
|
|
223
255
|
if (raw === 9 || raw === 10 || raw === 13) {
|
|
224
|
-
return extractHostname(url.replace(CONTROL_CHARS, ''), urlIsValidHostname);
|
|
256
|
+
return extractHostname(url.replace(CONTROL_CHARS, ''), urlIsValidHostname, validate);
|
|
225
257
|
}
|
|
226
258
|
return null;
|
|
227
259
|
}
|
|
@@ -246,7 +278,7 @@ function extractHostname(url, urlIsValidHostname) {
|
|
|
246
278
|
for (let i = start; i < end; i += 1) {
|
|
247
279
|
const code = url.charCodeAt(i);
|
|
248
280
|
if (code === 9 || code === 10 || code === 13) {
|
|
249
|
-
return extractHostname(url.replace(CONTROL_CHARS, ''), urlIsValidHostname);
|
|
281
|
+
return extractHostname(url.replace(CONTROL_CHARS, ''), urlIsValidHostname, validate);
|
|
250
282
|
}
|
|
251
283
|
if (code === 58 /* ':' */) {
|
|
252
284
|
indexOfColon = i;
|
|
@@ -348,11 +380,31 @@ function extractHostname(url, urlIsValidHostname) {
|
|
|
348
380
|
// '@') to tell a bare IPv6 (>= 2 colons) from a host:port (exactly one);
|
|
349
381
|
// flag uppercase and a stray tab/newline. The loop is split on `code < 64`
|
|
350
382
|
// so common host characters take fewer comparisons.
|
|
383
|
+
//
|
|
384
|
+
// When `validate`, also accumulate `is-valid.ts`'s checks over the scanned
|
|
385
|
+
// run so a simple authority's host can be validated in this single pass.
|
|
386
|
+
// `vValid` only stays meaningful for a "simple" authority (no userinfo, port,
|
|
387
|
+
// brackets, control or trailing dot); those cases clear it / are rejected by
|
|
388
|
+
// the guard below, falling back to `isValidHostname`.
|
|
351
389
|
let indexOfIdentifier = -1;
|
|
352
390
|
let indexOfClosingBracket = -1;
|
|
353
391
|
let indexOfPort = -1;
|
|
354
392
|
let indexOfFirstColon = -1;
|
|
355
393
|
let hasControl = false;
|
|
394
|
+
let vValid = validate; // seeded true when validating; cleared on the first invalid char
|
|
395
|
+
let vLastDot = start - 1; // mirrors is-valid.ts `lastDotIndex = -1` at host start
|
|
396
|
+
let vLastCode = -1;
|
|
397
|
+
if (validate && start < end) {
|
|
398
|
+
// First-char rule: must be a valid host char, '.', or '_' (NOT '-').
|
|
399
|
+
const c0 = url.charCodeAt(start);
|
|
400
|
+
if (!(
|
|
401
|
+
/*@__INLINE__*/ (isValidHostnameChar(c0) ||
|
|
402
|
+
c0 === 46 /* '.' */ ||
|
|
403
|
+
c0 === 95 /* '_' */)) ||
|
|
404
|
+
c0 === 45 /* '-' (isValidHostnameChar allows it mid-label, not first) */) {
|
|
405
|
+
vValid = false;
|
|
406
|
+
}
|
|
407
|
+
}
|
|
356
408
|
for (let i = start; i < end; i += 1) {
|
|
357
409
|
const code = url.charCodeAt(i);
|
|
358
410
|
if (code < 64) {
|
|
@@ -369,6 +421,21 @@ function extractHostname(url, urlIsValidHostname) {
|
|
|
369
421
|
else if (code === 9 || code === 10 || code === 13) {
|
|
370
422
|
hasControl = true;
|
|
371
423
|
}
|
|
424
|
+
else if (validate) {
|
|
425
|
+
if (code === 46 /* '.' */) {
|
|
426
|
+
if (i - vLastDot > 64 || vLastCode === 46 || vLastCode === 45) {
|
|
427
|
+
vValid = false;
|
|
428
|
+
}
|
|
429
|
+
vLastDot = i;
|
|
430
|
+
}
|
|
431
|
+
else if (code < 48 || code > 57) {
|
|
432
|
+
// < 64 and not a delimiter/dot/digit => only '-' (45) is a valid
|
|
433
|
+
// host char here; everything else (space, %, !, etc.) is invalid.
|
|
434
|
+
if (code !== 45) {
|
|
435
|
+
vValid = false;
|
|
436
|
+
}
|
|
437
|
+
}
|
|
438
|
+
}
|
|
372
439
|
}
|
|
373
440
|
else if (isSpecial && code === 92 /* '\' */) {
|
|
374
441
|
end = i;
|
|
@@ -384,10 +451,17 @@ function extractHostname(url, urlIsValidHostname) {
|
|
|
384
451
|
else if (code >= 65 && code <= 90) {
|
|
385
452
|
hasUpper = true;
|
|
386
453
|
}
|
|
454
|
+
else if (validate && !( /*@__INLINE__*/isValidHostnameChar(code))) {
|
|
455
|
+
// >= 64, not '@'/']'/upper: valid only if a-z, '_', or non-ASCII.
|
|
456
|
+
vValid = false;
|
|
457
|
+
}
|
|
458
|
+
if (validate) {
|
|
459
|
+
vLastCode = code;
|
|
460
|
+
}
|
|
387
461
|
}
|
|
388
462
|
// A tab/newline inside the authority: strip everything and re-parse (rare).
|
|
389
463
|
if (hasControl) {
|
|
390
|
-
return extractHostname(url.replace(CONTROL_CHARS, ''), urlIsValidHostname);
|
|
464
|
+
return extractHostname(url.replace(CONTROL_CHARS, ''), urlIsValidHostname, validate);
|
|
391
465
|
}
|
|
392
466
|
// Skip userinfo. '>= start' so an empty userinfo ("http://@host") works too.
|
|
393
467
|
if (indexOfIdentifier !== -1 &&
|
|
@@ -416,6 +490,28 @@ function extractHostname(url, urlIsValidHostname) {
|
|
|
416
490
|
if (start >= end) {
|
|
417
491
|
return null;
|
|
418
492
|
}
|
|
493
|
+
// Publish the inline-validation verdict — but only for a "simple" authority,
|
|
494
|
+
// where the scanned run equals the final host: no userinfo skip, no port
|
|
495
|
+
// trim, no brackets, no trailing dot (trimmed below), and length within RFC
|
|
496
|
+
// limits. Anything else leaves it `false` so `parseImpl` re-validates.
|
|
497
|
+
//
|
|
498
|
+
// Every clause below is load-bearing for CORRECTNESS, not just speed: the
|
|
499
|
+
// loop accumulates `vValid` over the whole scanned run (it does not stop at
|
|
500
|
+
// ':' or '@', so any port/userinfo bytes are included), so the verdict is
|
|
501
|
+
// only sound when that run equals the final host. Do not drop a clause as
|
|
502
|
+
// "redundant" — e.g. without `indexOfPort === -1`, `host:8080` would be
|
|
503
|
+
// wrongly accepted.
|
|
504
|
+
if (validate &&
|
|
505
|
+
vValid &&
|
|
506
|
+
indexOfIdentifier === -1 &&
|
|
507
|
+
indexOfPort === -1 &&
|
|
508
|
+
indexOfClosingBracket === -1 &&
|
|
509
|
+
url.charCodeAt(end - 1) !== 46 /* no trailing dot */ &&
|
|
510
|
+
end - start <= 255 && // total length
|
|
511
|
+
end - vLastDot - 1 <= 63 && // last label length
|
|
512
|
+
vLastCode !== 45 /* last char not '-' */) {
|
|
513
|
+
extractedHostnameValidated = true;
|
|
514
|
+
}
|
|
419
515
|
}
|
|
420
516
|
// Trim trailing dots
|
|
421
517
|
while (end > start + 1 && url.charCodeAt(end - 1) === 46 /* '.' */) {
|
|
@@ -567,6 +663,11 @@ function isSpecialUse(hostname) {
|
|
|
567
663
|
*
|
|
568
664
|
* If you need stricter validation, consider using an external library.
|
|
569
665
|
*/
|
|
666
|
+
// KEEP IN SYNC with `extract-hostname.ts` `isValidHostnameChar` + its inline
|
|
667
|
+
// scan/verdict, which duplicate these structural rules to validate during
|
|
668
|
+
// extraction (a perf fusion). That copy additionally accepts A-Z (the host is
|
|
669
|
+
// not yet lowercased there) and folds in '-' / '_'. Any change to the accepted
|
|
670
|
+
// character set or the label/length rules here must be mirrored there.
|
|
570
671
|
function isValidAscii(code) {
|
|
571
672
|
return ((code >= 97 && code <= 122) || (code >= 48 && code <= 57) || code > 127);
|
|
572
673
|
}
|
|
@@ -712,10 +813,10 @@ function parseImpl(url, step, suffixLookup, partialOptions, result) {
|
|
|
712
813
|
}
|
|
713
814
|
else if (options.mixedInputs) {
|
|
714
815
|
urlIsValid = isValidHostname(url);
|
|
715
|
-
result.hostname = extractHostname(url, urlIsValid);
|
|
816
|
+
result.hostname = extractHostname(url, urlIsValid, options.validateHostname);
|
|
716
817
|
}
|
|
717
818
|
else {
|
|
718
|
-
result.hostname = extractHostname(url, false);
|
|
819
|
+
result.hostname = extractHostname(url, false, options.validateHostname);
|
|
719
820
|
}
|
|
720
821
|
// Check if `hostname` is a valid ip address
|
|
721
822
|
if (options.detectIp && result.hostname !== null) {
|
|
@@ -734,6 +835,9 @@ function parseImpl(url, step, suffixLookup, partialOptions, result) {
|
|
|
734
835
|
// Skip the re-scan when `url` was already validated and extractHostname
|
|
735
836
|
// returned it unchanged (same reference => identical string, still valid).
|
|
736
837
|
!(urlIsValid && result.hostname === url) &&
|
|
838
|
+
// Skip the re-scan when extractHostname already validated the host inline
|
|
839
|
+
// (a confirmed-valid simple authority — see extract-hostname.ts).
|
|
840
|
+
!extractedHostnameValidated &&
|
|
737
841
|
!isValidHostname(result.hostname)) {
|
|
738
842
|
result.hostname = null;
|
|
739
843
|
return result;
|