voltjs-framework 1.0.0

package/src/security/sanitizer.js

@@ -0,0 +1,113 @@
+/**
+ * VoltJS Input Sanitizer
+ * 
+ * Comprehensive input sanitization to prevent injection attacks.
+ * Handles SQL injection, NoSQL injection, path traversal, and more.
+ */
+
+'use strict';
+
+class InputSanitizer {
+  /** Sanitize request (body, query, params) */
+  static sanitizeRequest(req) {
+    if (req.body) req.body = InputSanitizer.sanitize(req.body);
+    if (req.query) req.query = InputSanitizer.sanitize(req.query);
+    if (req.params) req.params = InputSanitizer.sanitize(req.params);
+  }
+
+  /** Sanitize any value recursively */
+  static sanitize(value) {
+    if (typeof value === 'string') {
+      return InputSanitizer.sanitizeString(value);
+    }
+    if (Array.isArray(value)) {
+      return value.map(v => InputSanitizer.sanitize(v));
+    }
+    if (value && typeof value === 'object') {
+      const result = {};
+      for (const [key, val] of Object.entries(value)) {
+        // Prevent NoSQL injection via operator keys
+        const cleanKey = key.startsWith('$') ? key.slice(1) : key;
+        result[cleanKey] = InputSanitizer.sanitize(val);
+      }
+      return result;
+    }
+    return value;
+  }
+
+  /** Sanitize a string */
+  static sanitizeString(str) {
+    return str
+      // Remove null bytes
+      .replace(/\0/g, '')
+      // Prevent path traversal
+      .replace(/\.\.\//g, '')
+      .replace(/\.\.\\/g, '')
+      // Remove common SQL injection patterns
+      .replace(/('|--|;|\/\*|\*\/|xp_|UNION\s+SELECT|INSERT\s+INTO|DROP\s+TABLE|DELETE\s+FROM|UPDATE\s+.+\s+SET)/gi, '')
+      // Remove NoSQL injection operators
+      .replace(/\$(?:gt|gte|lt|lte|ne|in|nin|and|or|not|exists|regex|where|elemMatch)\b/gi, '');
+  }
+
+  /** Sanitize email */
+  static sanitizeEmail(email) {
+    return String(email)
+      .toLowerCase()
+      .trim()
+      .replace(/[^a-z0-9@._+-]/g, '');
+  }
+
+  /** Sanitize phone number */
+  static sanitizePhone(phone) {
+    return String(phone).replace(/[^0-9+\-() ]/g, '');
+  }
+
+  /** Sanitize filename */
+  static sanitizeFilename(filename) {
+    return String(filename)
+      .replace(/[^a-zA-Z0-9._-]/g, '_')
+      .replace(/\.{2,}/g, '.')
+      .replace(/^\./, '');
+  }
+
+  /** Sanitize URL */
+  static sanitizeUrl(urlStr) {
+    try {
+      const parsed = new URL(urlStr);
+      if (!['http:', 'https:'].includes(parsed.protocol)) {
+        return '';
+      }
+      return parsed.toString();
+    } catch {
+      return '';
+    }
+  }
+
+  /** Sanitize integer */
+  static sanitizeInt(value, min = -Infinity, max = Infinity) {
+    const num = parseInt(value, 10);
+    if (isNaN(num)) return 0;
+    return Math.min(Math.max(num, min), max);
+  }
+
+  /** Sanitize float */
+  static sanitizeFloat(value, decimals = 2) {
+    const num = parseFloat(value);
+    if (isNaN(num)) return 0;
+    return parseFloat(num.toFixed(decimals));
+  }
+
+  /** Strip all HTML tags */
+  static stripTags(str) {
+    return String(str).replace(/<[^>]*>/g, '');
+  }
+
+  /** Middleware: Auto-sanitize all input */
+  static middleware() {
+    return (req) => {
+      InputSanitizer.sanitizeRequest(req);
+    };
+  }
+}
+
+module.exports = { InputSanitizer };

package/src/security/xss.js

@@ -0,0 +1,110 @@
+/**
+ * VoltJS XSS Protection
+ * 
+ * Comprehensive cross-site scripting prevention.
+ * Sanitizes all input data by default.
+ */
+
+'use strict';
+
+class XSSProtection {
+  /** Sanitize a string to prevent XSS */
+  static sanitize(input) {
+    if (typeof input !== 'string') return input;
+
+    return input
+      // Remove script tags and content
+      .replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '')
+      // Remove event handlers
+      .replace(/\s*on\w+\s*=\s*(?:"[^"]*"|'[^']*'|[^\s>]+)/gi, '')
+      // Remove javascript: protocol
+      .replace(/javascript\s*:/gi, '')
+      // Remove data: protocol (can be used for XSS)
+      .replace(/data\s*:\s*text\/html/gi, '')
+      // Remove vbscript: protocol
+      .replace(/vbscript\s*:/gi, '')
+      // Encode dangerous characters
+      .replace(/&(?!amp;|lt;|gt;|quot;|#)/g, '&amp;')
+      .replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;')
+      .replace(/"/g, '&quot;')
+      .replace(/'/g, '&#x27;');
+  }
+
+  /** Sanitize HTML but allow safe tags */
+  static sanitizeHtml(input, allowedTags = ['b', 'i', 'em', 'strong', 'a', 'p', 'br', 'ul', 'ol', 'li', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'blockquote', 'code', 'pre', 'span', 'div']) {
+    if (typeof input !== 'string') return input;
+
+    // First, remove script tags and event handlers
+    let result = input
+      .replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '')
+      .replace(/\s*on\w+\s*=\s*(?:"[^"]*"|'[^']*'|[^\s>]+)/gi, '')
+      .replace(/javascript\s*:/gi, '')
+      .replace(/vbscript\s*:/gi, '');
+
+    // Remove tags not in allowed list
+    const tagPattern = /<\/?(\w+)([^>]*)>/g;
+    result = result.replace(tagPattern, (match, tag, attrs) => {
+      if (allowedTags.includes(tag.toLowerCase())) {
+        // For allowed tags, sanitize attributes
+        const safeAttrs = attrs
+          .replace(/\s*on\w+\s*=\s*(?:"[^"]*"|'[^']*'|[^\s>]+)/gi, '')
+          .replace(/javascript\s*:/gi, '')
+          .replace(/style\s*=\s*(?:"[^"]*"|'[^']*')/gi, '');
+        return `<${match.startsWith('</') ? '/' : ''}${tag}${safeAttrs}>`;
+      }
+      return ''; // Remove disallowed tags
+    });
+
+    return result;
+  }
+
+  /** Sanitize an entire object recursively */
+  static sanitizeObject(obj) {
+    if (typeof obj === 'string') return XSSProtection.sanitize(obj);
+    if (Array.isArray(obj)) return obj.map(item => XSSProtection.sanitizeObject(item));
+    if (obj && typeof obj === 'object') {
+      const result = {};
+      for (const [key, value] of Object.entries(obj)) {
+        result[XSSProtection.sanitize(key)] = XSSProtection.sanitizeObject(value);
+      }
+      return result;
+    }
+    return obj;
+  }
+
+  /** Middleware: Auto-sanitize all input */
+  static middleware() {
+    return (req, res) => {
+      if (req.body && typeof req.body === 'object') {
+        req.body = XSSProtection.sanitizeObject(req.body);
+      }
+      if (req.query && typeof req.query === 'object') {
+        req.query = XSSProtection.sanitizeObject(req.query);
+      }
+      if (req.params && typeof req.params === 'object') {
+        req.params = XSSProtection.sanitizeObject(req.params);
+      }
+    };
+  }
+
+  /** Escape HTML entities */
+  static escape(str) {
+    const escapeMap = {
+      '&': '&amp;', '<': '&lt;', '>': '&gt;',
+      '"': '&quot;', "'": '&#39;', '`': '&#96;',
+    };
+    return String(str).replace(/[&<>"'`]/g, c => escapeMap[c]);
+  }
+
+  /** Unescape HTML entities */
+  static unescape(str) {
+    const unescapeMap = {
+      '&amp;': '&', '&lt;': '<', '&gt;': '>',
+      '&quot;': '"', '&#39;': "'", '&#96;': '`', '&#x27;': "'",
+    };
+    return String(str).replace(/&(?:amp|lt|gt|quot|#39|#96|#x27);/g, c => unescapeMap[c] || c);
+  }
+}
+
+module.exports = { XSSProtection };

package/src/ui/component.js

@@ -0,0 +1,224 @@
+/**
+ * VoltJS Component System
+ * 
+ * Server-side component system with reactive state, lifecycle hooks,
+ * and template rendering.
+ * 
+ * @example
+ * const { Component } = require('voltjs');
+ * 
+ * class Counter extends Component {
+ *   setup() {
+ *     this.state = { count: 0 };
+ *   }
+ *   
+ *   increment() { this.setState({ count: this.state.count + 1 }); }
+ *   
+ *   render() {
+ *     return `
+ *       <div class="counter">
+ *         <span>Count: ${this.state.count}</span>
+ *         <button volt-click="increment">+1</button>
+ *       </div>
+ *     `;
+ *   }
+ * }
+ */
+
+'use strict';
+
+const crypto = require('crypto');
+
+class Component {
+  constructor(props = {}) {
+    this.props = Object.freeze({ ...props });
+    this.state = {};
+    this.children = '';
+    this._id = crypto.randomBytes(4).toString('hex');
+    this._mounted = false;
+    this._hooks = {
+      beforeMount: [],
+      mounted: [],
+      beforeUpdate: [],
+      updated: [],
+      beforeDestroy: [],
+      destroyed: [],
+    };
+
+    this.setup();
+  }
+
+  /** Override to initialize state and register hooks */
+  setup() {}
+
+  /** Override to return HTML string */
+  render() { return ''; }
+
+  /** Update state and trigger re-render */
+  setState(partial) {
+    this._runHooks('beforeUpdate');
+    this.state = { ...this.state, ...partial };
+    this._runHooks('updated');
+  }
+
+  /** Register lifecycle hooks */
+  onBeforeMount(fn) { this._hooks.beforeMount.push(fn); }
+  onMounted(fn) { this._hooks.mounted.push(fn); }
+  onBeforeUpdate(fn) { this._hooks.beforeUpdate.push(fn); }
+  onUpdated(fn) { this._hooks.updated.push(fn); }
+  onBeforeDestroy(fn) { this._hooks.beforeDestroy.push(fn); }
+  onDestroyed(fn) { this._hooks.destroyed.push(fn); }
+
+  /** Mount the component — returns full HTML */
+  mount() {
+    this._runHooks('beforeMount');
+    this._mounted = true;
+    const html = this.render();
+    this._runHooks('mounted');
+    return this._wrapComponent(html);
+  }
+
+  /** Destroy the component */
+  destroy() {
+    this._runHooks('beforeDestroy');
+    this._mounted = false;
+    this._runHooks('destroyed');
+  }
+
+  /** Convert to HTML string */
+  toString() {
+    return this.mount();
+  }
+
+  /** Get reactive client-side script */
+  clientScript() { return ''; }
+
+  // ===== HELPERS =====
+
+  /** Conditional rendering */
+  $if(condition, trueHtml, falseHtml = '') {
+    return condition ? trueHtml : falseHtml;
+  }
+
+  /** Loop rendering */
+  $each(items, callback) {
+    return items.map((item, index) => callback(item, index)).join('');
+  }
+
+  /** Slot rendering */
+  $slot(name, defaultContent = '') {
+    return this.props[`slot:${name}`] || defaultContent;
+  }
+
+  /** Escape HTML */
+  $escape(str) {
+    const map = { '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#039;' };
+    return String(str).replace(/[&<>"']/g, c => map[c]);
+  }
+
+  /** Render a child component */
+  $component(ComponentClass, props = {}) {
+    const child = new ComponentClass(props);
+    return child.mount();
+  }
+
+  /** Generate CSS class string from object */
+  $class(classes) {
+    if (typeof classes === 'string') return classes;
+    if (Array.isArray(classes)) return classes.filter(Boolean).join(' ');
+    return Object.entries(classes).filter(([, v]) => v).map(([k]) => k).join(' ');
+  }
+
+  /** Generate style string from object */
+  $style(styles) {
+    if (typeof styles === 'string') return styles;
+    return Object.entries(styles)
+      .filter(([, v]) => v !== null && v !== undefined)
+      .map(([k, v]) => `${k.replace(/([A-Z])/g, '-$1').toLowerCase()}: ${v}`)
+      .join('; ');
+  }
+
+  // ===== INTERNAL =====
+
+  _wrapComponent(html) {
+    return `<div data-volt-component="${this.constructor.name}" data-volt-id="${this._id}">${html}</div>`;
+  }
+
+  _runHooks(name) {
+    for (const hook of this._hooks[name]) {
+      hook.call(this);
+    }
+  }
+
+  // ===== STATIC HELPERS =====
+
+  /** Create a functional component */
+  static create(name, renderFn) {
+    const CompClass = class extends Component {
+      render() { return renderFn(this.props, this.state, this); }
+    };
+    Object.defineProperty(CompClass, 'name', { value: name });
+    return CompClass;
+  }
+
+  /** Render a component to HTML string */
+  static render(ComponentClass, props = {}) {
+    const instance = new ComponentClass(props);
+    return instance.mount();
+  }
+
+  /** Create a layout component */
+  static layout(templateFn) {
+    return class extends Component {
+      render() {
+        return templateFn({ ...this.props, children: this.children }, this);
+      }
+    };
+  }
+}
+
+/** Page component with head metadata */
+class Page extends Component {
+  head() {
+    return { title: '', meta: [], links: [], scripts: [] };
+  }
+
+  renderHead() {
+    const h = this.head();
+    const parts = [];
+    if (h.title) parts.push(`<title>${this.$escape(h.title)}</title>`);
+    for (const meta of (h.meta || [])) {
+      const attrs = Object.entries(meta).map(([k, v]) => `${k}="${this.$escape(v)}"`).join(' ');
+      parts.push(`<meta ${attrs}>`);
+    }
+    for (const link of (h.links || [])) {
+      const attrs = Object.entries(link).map(([k, v]) => `${k}="${this.$escape(v)}"`).join(' ');
+      parts.push(`<link ${attrs}>`);
+    }
+    for (const script of (h.scripts || [])) {
+      if (typeof script === 'string') {
+        parts.push(`<script src="${this.$escape(script)}"></script>`);
+      } else {
+        const attrs = Object.entries(script).map(([k, v]) => `${k}="${this.$escape(v)}"`).join(' ');
+        parts.push(`<script ${attrs}></script>`);
+      }
+    }
+    return parts.join('\n    ');
+  }
+
+  toFullPage() {
+    return `<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    ${this.renderHead()}
+</head>
+<body>
+    ${this.mount()}
+</body>
+</html>`;
+  }
+}
+
+module.exports = { Component, Page };