unhead 2.1.10 → 2.1.12

package/dist/client.mjs

@@ -1,6 +1,6 @@
-import { a as createUnhead } from './shared/unhead.D_nrZZPH.mjs';
+import { a as createUnhead } from './shared/unhead.Ct24BOby.mjs';
 import { H as HasElementTags } from './shared/unhead.yem5I2v_.mjs';
-import { i as isMetaArrayDupeKey, a as normalizeProps, d as dedupeKey, h as hashTag } from './shared/unhead.fVVqDC1O.mjs';
+import { i as isMetaArrayDupeKey, a as normalizeProps, d as dedupeKey, h as hashTag } from './shared/unhead.B5FWS6X0.mjs';
 import 'hookable';
 import './shared/unhead.CbpEuj3y.mjs';
 

package/dist/index.mjs

@@ -1,9 +1,9 @@
-export { u as useHead, a as useHeadSafe, b as useSeoMeta, c as useServerHead, d as useServerHeadSafe, e as useServerSeoMeta } from './shared/unhead.BPM0-cfG.mjs';
-export { c as createHeadCore, a as createUnhead } from './shared/unhead.D_nrZZPH.mjs';
+export { u as useHead, a as useHeadSafe, b as useSeoMeta, c as useServerHead, d as useServerHeadSafe, e as useServerSeoMeta } from './shared/unhead._ybhDo-G.mjs';
+export { c as createHeadCore, a as createUnhead } from './shared/unhead.Ct24BOby.mjs';
 export { u as useScript } from './shared/unhead.BnoAbrHA.mjs';
-import './shared/unhead.CApf5sj3.mjs';
+import './shared/unhead.0eF0fa-Y.mjs';
 import './shared/unhead.DQc16pHI.mjs';
 import './shared/unhead.yem5I2v_.mjs';
 import 'hookable';
-import './shared/unhead.fVVqDC1O.mjs';
+import './shared/unhead.B5FWS6X0.mjs';
 import './shared/unhead.CbpEuj3y.mjs';

package/dist/legacy.mjs

@@ -1,12 +1,12 @@
-import { a as createUnhead } from './shared/unhead.D_nrZZPH.mjs';
-import { D as DeprecationsPlugin, P as PromisesPlugin, T as TemplateParamsPlugin, A as AliasSortingPlugin } from './shared/unhead.ckV6dpEQ.mjs';
-export { u as useHead, a as useHeadSafe, b as useSeoMeta, c as useServerHead, d as useServerHeadSafe, e as useServerSeoMeta } from './shared/unhead.BPM0-cfG.mjs';
+import { a as createUnhead } from './shared/unhead.Ct24BOby.mjs';
+import { D as DeprecationsPlugin, P as PromisesPlugin, T as TemplateParamsPlugin, A as AliasSortingPlugin } from './shared/unhead.Chhckluj.mjs';
+export { u as useHead, a as useHeadSafe, b as useSeoMeta, c as useServerHead, d as useServerHeadSafe, e as useServerSeoMeta } from './shared/unhead._ybhDo-G.mjs';
 export { u as useScript } from './shared/unhead.BnoAbrHA.mjs';
 import 'hookable';
-import './shared/unhead.fVVqDC1O.mjs';
+import './shared/unhead.B5FWS6X0.mjs';
 import './shared/unhead.yem5I2v_.mjs';
 import './shared/unhead.CbpEuj3y.mjs';
-import './shared/unhead.CApf5sj3.mjs';
+import './shared/unhead.0eF0fa-Y.mjs';
 import './shared/unhead.DQc16pHI.mjs';
 import './shared/unhead.BYvz9V1x.mjs';
 

package/dist/plugins.mjs

@@ -1,6 +1,6 @@
-export { A as AliasSortingPlugin, D as DeprecationsPlugin, P as PromisesPlugin, T as TemplateParamsPlugin } from './shared/unhead.ckV6dpEQ.mjs';
-import { d as defineHeadPlugin } from './shared/unhead.CApf5sj3.mjs';
-export { F as FlatMetaPlugin, S as SafeInputPlugin } from './shared/unhead.CApf5sj3.mjs';
+export { A as AliasSortingPlugin, D as DeprecationsPlugin, P as PromisesPlugin, T as TemplateParamsPlugin } from './shared/unhead.Chhckluj.mjs';
+import { d as defineHeadPlugin } from './shared/unhead.0eF0fa-Y.mjs';
+export { F as FlatMetaPlugin, S as SafeInputPlugin } from './shared/unhead.0eF0fa-Y.mjs';
 import './shared/unhead.CbpEuj3y.mjs';
 import './shared/unhead.BYvz9V1x.mjs';
 import './shared/unhead.DQc16pHI.mjs';

package/dist/server.mjs

@@ -1,8 +1,8 @@
-import { a as createUnhead } from './shared/unhead.D_nrZZPH.mjs';
+import { a as createUnhead } from './shared/unhead.Ct24BOby.mjs';
 import { T as TagsWithInnerContent, S as SelfClosingTags } from './shared/unhead.yem5I2v_.mjs';
 import { parseHtmlForUnheadExtraction, applyHeadToHtml, parseHtmlForIndexes } from './parser.mjs';
 import 'hookable';
-import './shared/unhead.fVVqDC1O.mjs';
+import './shared/unhead.B5FWS6X0.mjs';
 import './shared/unhead.CbpEuj3y.mjs';
 
 // @__NO_SIDE_EFFECTS__

package/dist/shared/unhead.0eF0fa-Y.mjs

@@ -0,0 +1,236 @@
+import { u as unpackMeta } from './unhead.DQc16pHI.mjs';
+
+function defineHeadPlugin(plugin) {
+  return plugin;
+}
+
+const FlatMetaPlugin = /* @__PURE__ */ defineHeadPlugin({
+  key: "flatMeta",
+  hooks: {
+    "entries:normalize": (ctx) => {
+      const tagsToAdd = [];
+      ctx.tags = ctx.tags.map((t) => {
+        if (t.tag !== "_flatMeta") {
+          return t;
+        }
+        tagsToAdd.push(unpackMeta(t.props).map((p) => ({
+          ...t,
+          tag: "meta",
+          props: p
+        })));
+        return false;
+      }).filter(Boolean).concat(...tagsToAdd);
+    }
+  }
+});
+
+const WhitelistAttributes = {
+  htmlAttrs: /* @__PURE__ */ new Set(["class", "style", "lang", "dir"]),
+  bodyAttrs: /* @__PURE__ */ new Set(["class", "style"]),
+  meta: /* @__PURE__ */ new Set(["name", "property", "charset", "content", "media"]),
+  noscript: /* @__PURE__ */ new Set([]),
+  style: /* @__PURE__ */ new Set(["media", "nonce", "title", "blocking"]),
+  script: /* @__PURE__ */ new Set(["type", "textContent", "nonce", "blocking"]),
+  link: /* @__PURE__ */ new Set(["color", "crossorigin", "fetchpriority", "href", "hreflang", "imagesrcset", "imagesizes", "integrity", "media", "referrerpolicy", "rel", "sizes", "type"])
+};
+const BlockedLinkRels = /* @__PURE__ */ new Set(["canonical", "modulepreload", "prerender", "preload", "prefetch", "dns-prefetch", "preconnect", "manifest", "pingback"]);
+const SafeAttrName = /^[a-z][a-z0-9\-]*[a-z0-9]$/i;
+const HtmlEntityHex = /&#x([0-9a-f]{1,6});?/gi;
+const HtmlEntityDec = /&#(\d{1,7});?/g;
+const HtmlEntityNamed = /&(tab|newline|colon|semi|lpar|rpar|sol|bsol|comma|period|excl|num|dollar|percnt|amp|apos|ast|plus|lt|gt|equals|quest|at|lsqb|rsqb|lcub|rcub|vert|hat|grave|tilde|nbsp);?/gi;
+const ControlChars = /[\x00-\x20]+/g;
+const NamedEntityMap = {
+  tab: "	",
+  newline: "\n",
+  colon: ":",
+  semi: ";",
+  lpar: "(",
+  rpar: ")",
+  sol: "/",
+  bsol: "\\",
+  comma: ",",
+  period: ".",
+  excl: "!",
+  num: "#",
+  dollar: "$",
+  percnt: "%",
+  amp: "&",
+  apos: "'",
+  ast: "*",
+  plus: "+",
+  lt: "<",
+  gt: ">",
+  equals: "=",
+  quest: "?",
+  at: "@",
+  lsqb: "[",
+  rsqb: "]",
+  lcub: "{",
+  rcub: "}",
+  vert: "|",
+  hat: "^",
+  grave: "`",
+  tilde: "~",
+  nbsp: "\xA0"
+};
+function safeFromCodePoint(codePoint) {
+  if (codePoint > 1114111 || codePoint < 0 || Number.isNaN(codePoint))
+    return "";
+  return String.fromCodePoint(codePoint);
+}
+function decodeHtmlEntities(str) {
+  return str.replace(HtmlEntityHex, (_, hex) => safeFromCodePoint(Number.parseInt(hex, 16))).replace(HtmlEntityDec, (_, dec) => safeFromCodePoint(Number(dec))).replace(HtmlEntityNamed, (_, name) => NamedEntityMap[name.toLowerCase()] || "");
+}
+function hasDangerousProtocol(url) {
+  const entityDecoded = decodeHtmlEntities(url);
+  const cleaned = entityDecoded.replace(ControlChars, "");
+  let decoded;
+  try {
+    decoded = decodeURIComponent(cleaned);
+  } catch {
+    decoded = cleaned;
+  }
+  const sanitized = decoded.replace(ControlChars, "");
+  const lower = sanitized.toLowerCase();
+  return lower.startsWith("javascript:") || lower.startsWith("data:") || lower.startsWith("vbscript:");
+}
+function stripProtoKeys(obj) {
+  if (Array.isArray(obj))
+    return obj.map(stripProtoKeys);
+  if (obj && typeof obj === "object") {
+    const clean = {};
+    for (const key of Object.keys(obj)) {
+      if (key === "__proto__" || key === "constructor" || key === "prototype")
+        continue;
+      clean[key] = stripProtoKeys(obj[key]);
+    }
+    return clean;
+  }
+  return obj;
+}
+function acceptDataAttrs(value, allowId = true) {
+  return Object.fromEntries(
+    Object.entries(value || {}).filter(([key]) => (allowId && key === "id" || key.startsWith("data-")) && SafeAttrName.test(key))
+  );
+}
+function makeTagSafe(tag) {
+  let next = {};
+  const { tag: type, props: prev } = tag;
+  switch (type) {
+    // title: textContent is escaped in rendering (tagToString), no props needed
+    case "title":
+      break;
+    // virtual tags, not rendered to HTML — but sanitize to prevent injection if rendered
+    case "titleTemplate":
+    case "templateParams":
+      next = prev;
+      break;
+    case "htmlAttrs":
+    case "bodyAttrs":
+      WhitelistAttributes[type].forEach((attr) => {
+        if (prev[attr]) {
+          next[attr] = prev[attr];
+        }
+      });
+      delete tag.innerHTML;
+      delete tag.textContent;
+      tag.props = { ...acceptDataAttrs(prev, false), ...next };
+      return !Object.keys(tag.props).length ? false : tag;
+    case "style":
+      next = acceptDataAttrs(prev);
+      WhitelistAttributes.style.forEach((key) => {
+        if (prev[key]) {
+          next[key] = prev[key];
+        }
+      });
+      break;
+    // meta is safe, except for http-equiv
+    case "meta":
+      WhitelistAttributes.meta.forEach((key) => {
+        if (prev[key]) {
+          next[key] = prev[key];
+        }
+      });
+      break;
+    // link tags we block preloading, prerendering, prefetching, dns-prefetch, preconnect, manifest, etc
+    case "link":
+      WhitelistAttributes.link.forEach((key) => {
+        const val = prev[key];
+        if (!val) {
+          return;
+        }
+        if (key === "rel" && (typeof val !== "string" || BlockedLinkRels.has(val.toLowerCase()))) {
+          return;
+        }
+        if (key === "href" || key === "imagesrcset") {
+          if (typeof val !== "string") {
+            return;
+          }
+          const urls = key === "imagesrcset" ? val.split(",").map((s) => s.trim()) : [val];
+          if (urls.some((u) => hasDangerousProtocol(u))) {
+            return;
+          }
+          next[key] = val;
+        } else if (val) {
+          next[key] = val;
+        }
+      });
+      if (!next.href && !next.imagesrcset || !next.rel) {
+        return false;
+      }
+      break;
+    case "noscript":
+      WhitelistAttributes.noscript.forEach((key) => {
+        if (prev[key]) {
+          next[key] = prev[key];
+        }
+      });
+      break;
+    // we only allow JSON in scripts
+    case "script":
+      if (!tag.textContent || typeof prev.type !== "string" || !prev.type.endsWith("json")) {
+        return false;
+      }
+      try {
+        const jsonVal = typeof tag.textContent === "string" ? JSON.parse(tag.textContent) : tag.textContent;
+        tag.textContent = JSON.stringify(stripProtoKeys(jsonVal), null, 0);
+      } catch {
+        return false;
+      }
+      WhitelistAttributes.script.forEach((s) => {
+        if (s !== "textContent" && prev[s]) {
+          next[s] = prev[s];
+        }
+      });
+      break;
+  }
+  delete tag.innerHTML;
+  if (type !== "title" && type !== "script") {
+    delete tag.textContent;
+  }
+  tag.props = { ...acceptDataAttrs(prev), ...next };
+  if (!Object.keys(tag.props).length && !tag.tag.endsWith("Attrs") && !tag.textContent) {
+    return false;
+  }
+  return tag;
+}
+const SafeInputPlugin = (
+  /* @PURE */
+  defineHeadPlugin({
+    key: "safe",
+    hooks: {
+      "entries:normalize": (ctx) => {
+        if (ctx.entry.options?._safe) {
+          ctx.tags = ctx.tags.reduce((acc, tag) => {
+            const safeTag = makeTagSafe(tag);
+            if (safeTag)
+              acc.push(safeTag);
+            return acc;
+          }, []);
+        }
+      }
+    }
+  })
+);
+
+export { FlatMetaPlugin as F, SafeInputPlugin as S, defineHeadPlugin as d };

package/dist/shared/{unhead.fVVqDC1O.mjs → unhead.B5FWS6X0.mjs}

@@ -1,4 +1,4 @@
-import { U as UniqueTags, T as TagsWithInnerContent, M as MetaTagsArrayable, a as TagConfigKeys, D as DupeableTags } from './unhead.yem5I2v_.mjs';
+import { U as UniqueTags, T as TagsWithInnerContent, M as MetaTagsArrayable, H as HasElementTags, a as TagConfigKeys, D as DupeableTags } from './unhead.yem5I2v_.mjs';
 
 const allowedMetaProperties = ["name", "property", "http-equiv"];
 const StandardSingleMetaTags = /* @__PURE__ */ new Set([
@@ -124,17 +124,20 @@ function normalizeProps(tag, input) {
     tag.props = input;
     return tag;
   }
-  Object.entries(input).forEach(([key, value]) => {
+  const isHtmlTag = HasElementTags.has(tag.tag) || tag.tag === "htmlAttrs" || tag.tag === "bodyAttrs";
+  Object.entries(input).forEach(([prop, value]) => {
+    if (prop === "__proto__" || prop === "constructor" || prop === "prototype")
+      return;
     if (value === null) {
-      tag.props[key] = null;
+      tag.props[prop] = null;
       return;
     }
-    if (key === "class" || key === "style") {
-      tag.props[key] = normalizeStyleClassProps(key, value);
+    if (prop === "class" || prop === "style") {
+      tag.props[prop] = normalizeStyleClassProps(prop, value);
       return;
     }
-    if (TagConfigKeys.has(key)) {
-      if (["textContent", "innerHTML"].includes(key) && typeof value === "object") {
+    if (TagConfigKeys.has(prop)) {
+      if ((prop === "textContent" || prop === "innerHTML") && typeof value === "object") {
         let type = input.type;
         if (!input.type) {
           type = "application/json";
@@ -144,14 +147,15 @@ function normalizeProps(tag, input) {
         }
         input.type = type;
         tag.props.type = type;
-        tag[key] = JSON.stringify(value);
+        tag[prop] = JSON.stringify(value);
       } else {
-        tag[key] = value;
+        tag[prop] = value;
       }
       return;
     }
+    const isDataKey = prop.startsWith("data-");
+    const key = isHtmlTag && !isDataKey ? prop.toLowerCase() : prop;
     const strValue = String(value);
-    const isDataKey = key.startsWith("data-");
     const isMetaContentKey = tag.tag === "meta" && key === "content";
     if (strValue === "true" || strValue === "") {
       tag.props[key] = isDataKey || isMetaContentKey ? strValue : true;

package/dist/shared/{unhead.ckV6dpEQ.mjs → unhead.Chhckluj.mjs}

@@ -1,4 +1,4 @@
-import { d as defineHeadPlugin } from './unhead.CApf5sj3.mjs';
+import { d as defineHeadPlugin } from './unhead.0eF0fa-Y.mjs';
 import { s as sortTags } from './unhead.CbpEuj3y.mjs';
 import { p as processTemplateParams } from './unhead.BYvz9V1x.mjs';
 

package/dist/shared/{unhead.D_nrZZPH.mjs → unhead.Ct24BOby.mjs}

@@ -1,5 +1,5 @@
 import { createHooks } from 'hookable';
-import { n as normalizeEntryToTags, d as dedupeKey, h as hashTag, i as isMetaArrayDupeKey } from './unhead.fVVqDC1O.mjs';
+import { n as normalizeEntryToTags, d as dedupeKey, h as hashTag, i as isMetaArrayDupeKey } from './unhead.B5FWS6X0.mjs';
 import { t as tagWeight, s as sortTags } from './unhead.CbpEuj3y.mjs';
 import { c as UsesMergeStrategy, V as ValidHeadTags } from './unhead.yem5I2v_.mjs';
 

package/dist/shared/{unhead.BPM0-cfG.mjs → unhead._ybhDo-G.mjs}

@@ -1,4 +1,4 @@
-import { S as SafeInputPlugin, F as FlatMetaPlugin } from './unhead.CApf5sj3.mjs';
+import { S as SafeInputPlugin, F as FlatMetaPlugin } from './unhead.0eF0fa-Y.mjs';
 
 function useHead(unhead, input, options = {}) {
   return unhead.push(input || {}, options);

package/dist/utils.mjs

@@ -1,5 +1,5 @@
 export { D as DupeableTags, H as HasElementTags, M as MetaTagsArrayable, b as ScriptNetworkEvents, S as SelfClosingTags, a as TagConfigKeys, T as TagsWithInnerContent, U as UniqueTags, c as UsesMergeStrategy, V as ValidHeadTags } from './shared/unhead.yem5I2v_.mjs';
-export { d as dedupeKey, h as hashTag, i as isMetaArrayDupeKey, n as normalizeEntryToTags, a as normalizeProps, w as walkResolver } from './shared/unhead.fVVqDC1O.mjs';
+export { d as dedupeKey, h as hashTag, i as isMetaArrayDupeKey, n as normalizeEntryToTags, a as normalizeProps, w as walkResolver } from './shared/unhead.B5FWS6X0.mjs';
 export { r as resolveMetaKeyType, a as resolveMetaKeyValue, b as resolvePackedMetaObjectValue, u as unpackMeta } from './shared/unhead.DQc16pHI.mjs';
 export { s as sortTags, t as tagWeight } from './shared/unhead.CbpEuj3y.mjs';
 export { p as processTemplateParams } from './shared/unhead.BYvz9V1x.mjs';

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "unhead",
   "type": "module",
-  "version": "2.1.10",
+  "version": "2.1.12",
   "description": "Full-stack <head> manager built for any framework.",
   "author": {
     "name": "Harlan Wilton",

package/dist/shared/unhead.CApf5sj3.mjs

@@ -1,148 +0,0 @@
-import { u as unpackMeta } from './unhead.DQc16pHI.mjs';
-
-function defineHeadPlugin(plugin) {
-  return plugin;
-}
-
-const FlatMetaPlugin = /* @__PURE__ */ defineHeadPlugin({
-  key: "flatMeta",
-  hooks: {
-    "entries:normalize": (ctx) => {
-      const tagsToAdd = [];
-      ctx.tags = ctx.tags.map((t) => {
-        if (t.tag !== "_flatMeta") {
-          return t;
-        }
-        tagsToAdd.push(unpackMeta(t.props).map((p) => ({
-          ...t,
-          tag: "meta",
-          props: p
-        })));
-        return false;
-      }).filter(Boolean).concat(...tagsToAdd);
-    }
-  }
-});
-
-const WhitelistAttributes = {
-  htmlAttrs: /* @__PURE__ */ new Set(["class", "style", "lang", "dir"]),
-  bodyAttrs: /* @__PURE__ */ new Set(["class", "style"]),
-  meta: /* @__PURE__ */ new Set(["name", "property", "charset", "content", "media"]),
-  noscript: /* @__PURE__ */ new Set(["textContent"]),
-  style: /* @__PURE__ */ new Set(["media", "textContent", "nonce", "title", "blocking"]),
-  script: /* @__PURE__ */ new Set(["type", "textContent", "nonce", "blocking"]),
-  link: /* @__PURE__ */ new Set(["color", "crossorigin", "fetchpriority", "href", "hreflang", "imagesrcset", "imagesizes", "integrity", "media", "referrerpolicy", "rel", "sizes", "type"])
-};
-function acceptDataAttrs(value) {
-  return Object.fromEntries(
-    Object.entries(value || {}).filter(([key]) => key === "id" || key.startsWith("data-"))
-  );
-}
-function makeTagSafe(tag) {
-  let next = {};
-  const { tag: type, props: prev } = tag;
-  switch (type) {
-    // always safe
-    case "title":
-    case "titleTemplate":
-    case "templateParams":
-      next = prev;
-      break;
-    case "htmlAttrs":
-    case "bodyAttrs":
-      WhitelistAttributes[type].forEach((attr) => {
-        if (prev[attr]) {
-          next[attr] = prev[attr];
-        }
-      });
-      break;
-    case "style":
-      next = acceptDataAttrs(prev);
-      WhitelistAttributes.style.forEach((key) => {
-        if (prev[key]) {
-          next[key] = prev[key];
-        }
-      });
-      break;
-    // meta is safe, except for http-equiv
-    case "meta":
-      WhitelistAttributes.meta.forEach((key) => {
-        if (prev[key]) {
-          next[key] = prev[key];
-        }
-      });
-      break;
-    // link tags we don't allow stylesheets, scripts, preloading, prerendering, prefetching, etc
-    case "link":
-      WhitelistAttributes.link.forEach((key) => {
-        const val = prev[key];
-        if (!val) {
-          return;
-        }
-        if (key === "rel" && (val === "canonical" || val === "modulepreload" || val === "prerender" || val === "preload" || val === "prefetch")) {
-          return;
-        }
-        if (key === "href") {
-          if (val.includes("javascript:") || val.includes("data:")) {
-            return;
-          }
-          next[key] = val;
-        } else if (val) {
-          next[key] = val;
-        }
-      });
-      if (!next.href && !next.imagesrcset || !next.rel) {
-        return false;
-      }
-      break;
-    case "noscript":
-      WhitelistAttributes.noscript.forEach((key) => {
-        if (prev[key]) {
-          next[key] = prev[key];
-        }
-      });
-      break;
-    // we only allow JSON in scripts
-    case "script":
-      if (!tag.textContent || !prev.type?.endsWith("json")) {
-        return false;
-      }
-      WhitelistAttributes.script.forEach((s) => {
-        if (prev[s] === "textContent") {
-          try {
-            const jsonVal = typeof prev[s] === "string" ? JSON.parse(prev[s]) : prev[s];
-            next[s] = JSON.stringify(jsonVal, null, 0);
-          } catch {
-          }
-        } else if (prev[s]) {
-          next[s] = prev[s];
-        }
-      });
-      break;
-  }
-  if (!Object.keys(next).length && !tag.tag.endsWith("Attrs")) {
-    return false;
-  }
-  tag.props = { ...acceptDataAttrs(prev), ...next };
-  return tag;
-}
-const SafeInputPlugin = (
-  /* @PURE */
-  defineHeadPlugin({
-    key: "safe",
-    hooks: {
-      "entries:normalize": (ctx) => {
-        if (ctx.entry.options?._safe) {
-          ctx.tags = ctx.tags.reduce((acc, tag) => {
-            const safeTag = makeTagSafe(tag);
-            if (safeTag)
-              acc.push(safeTag);
-            return acc;
-          }, []);
-        }
-      }
-    }
-  })
-);
-
-export { FlatMetaPlugin as F, SafeInputPlugin as S, defineHeadPlugin as d };