web-manager 4.1.35 → 4.1.37

package/CHANGELOG.md

@@ -14,6 +14,33 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - `Fixed` for any bug fixes.
 - `Security` in case of vulnerabilities.
 
+---
+## [4.1.37] - 2026-04-05
+### Added
+- Added `_resolveUsage()` to auth module that merges account usage data with plan limits from config, exposed as a top-level `usage` binding context.
+- Added `payment.processors` and `payment.plans` defaults to configuration.
+
+## [4.1.36] - 2026-04-02
+### Fixed
+- Fixed mocha binary path preventing `npm test` from running.
+- Fixed lodash ESM named import incompatibility with Node.js (`storage.js`).
+- Fixed test suite calling nonexistent API methods (`init` → `initialize`, `storage('local')` → `storage()`).
+- Fixed mocha hanging after tests due to `setInterval` in version checker (added `--exit` flag).
+
+### Changed
+- Enhanced `escapeHTML` to recursively handle objects, arrays, and pass through non-string types.
+- Rewrote `showNotification` to use safe DOM construction (`textContent`) instead of `innerHTML`.
+- Split monolithic `test.js` into 8 modular test files under `test/tests/`.
+- Expanded test coverage from ~10 broken tests to 70 passing tests.
+
+### Security
+- Blocked `javascript:` protocol in `@attr` bindings for URL attributes (`href`, `src`, `action`, `formaction`).
+
+---
+## [4.1.35] - 2026-04-02
+### Changed
+- Bumped `chatsy` from `^2.0.13` to `^2.0.14`.
+
 ---
 ## [4.1.34] - 2026-04-01
 ### Changed

package/dist/index.js

@@ -296,6 +296,10 @@ class Manager {
         FIREBASE_EMULATOR_CONNECT: false,
       },
       validRedirectHosts: [],
+      payment: {
+        processors: {},
+        plans: [],
+      },
 
       // Non-configurable defaults
       refreshNewVersion: {

package/dist/modules/auth.js

@@ -164,8 +164,12 @@ class Auth {
 
       // Update bindings and storage once per auth state change
       if (!this._hasProcessedStateChange) {
-        this.manager.bindings().update({ auth: state });
+        this.manager.bindings().update({
+          auth: state,
+          usage: this._resolveUsage(state),
+        });
         this.manager.storage().set('auth', state);
+
         this._hasProcessedStateChange = true;
       }
 
@@ -252,6 +256,29 @@ class Auth {
     };
   }
 
+  // Resolve usage bindings from account data + plan limits from config.
+  // Returns: { credits: { monthly: 5, limit: 100 }, ... }
+  _resolveUsage(state) {
+    const accountUsage = state.account?.usage || {};
+    const plan = state.resolved?.plan || 'basic';
+    const plans = this.manager.config.payment?.plans || [];
+    const planConfig = plans.find(p => p.id === plan) || {};
+    const limits = planConfig.limits || {};
+
+    // Merge current usage with limits for each feature
+    const usage = {};
+    const keys = new Set([...Object.keys(accountUsage), ...Object.keys(limits)]);
+
+    for (const key of keys) {
+      usage[key] = {
+        ...(accountUsage[key] || {}),
+        limit: limits[key] || 0,
+      };
+    }
+
+    return usage;
+  }
+
   // Get ID token for the current user
   async getIdToken(forceRefresh = false) {
     try {

package/dist/modules/bindings.js

@@ -150,6 +150,14 @@ class Bindings {
         const attrValue = this._resolvePath(context, attrExpression) || '';
 
         if (attrValue) {
+          // Block javascript: protocol on URL attributes to prevent XSS
+          const URL_ATTRS = ['href', 'src', 'action', 'formaction'];
+          if (URL_ATTRS.includes(attrName.toLowerCase())
+            && /^\s*javascript\s*:/i.test(String(attrValue))) {
+            console.warn(`[Bindings] Blocked javascript: URL in @attr ${attrName}`);
+            return true;
+          }
+
           element.setAttribute(attrName, attrValue);
         } else {
           element.removeAttribute(attrName);

package/dist/modules/storage.js

@@ -1,4 +1,5 @@
-import { get as _get, set as _set } from 'lodash';
+import lodash from 'lodash';
+const { get: _get, set: _set } = lodash;
 
 class Storage {
   constructor() {

package/dist/modules/utilities.js

@@ -37,26 +37,48 @@ class Utilities {
   }
 
   // Escape HTML to prevent XSS
-  escapeHTML(str) {
-    if (typeof str !== 'string') {
-      return '';
+  // Accepts a string, object, or array — walks recursively, escaping all string values
+  escapeHTML(input) {
+    // Strings — escape and return
+    if (typeof input === 'string') {
+      this._shadowElement = this._shadowElement || document.createElement('p');
+      this._shadowElement.innerHTML = '';
+
+      // This automatically escapes HTML entities like <, >, &, etc.
+      this._shadowElement.appendChild(document.createTextNode(input));
+
+      // This is needed to escape quotes to prevent attribute injection
+      return this._shadowElement.innerHTML.replace(/["']/g, (m) => {
+        switch (m) {
+          case '"':
+            return '&quot;';
+          default:
+            return '&#039;';
+        }
+      });
     }
 
-    this._shadowElement = this._shadowElement || document.createElement('p');
-    this._shadowElement.innerHTML = '';
+    // Null/undefined — pass through
+    if (input == null) {
+      return input;
+    }
 
-    // This automatically escapes HTML entities like <, >, &, etc.
-    this._shadowElement.appendChild(document.createTextNode(str));
+    // Arrays — recurse each item
+    if (Array.isArray(input)) {
+      return input.map(item => this.escapeHTML(item));
+    }
 
-    // This is needed to escape quotes to prevent attribute injection
-    return this._shadowElement.innerHTML.replace(/["']/g, (m) => {
-      switch (m) {
-        case '"':
-          return '&quot;';
-        default:
-          return '&#039;';
+    // Objects — shallow clone, recurse each value
+    if (typeof input === 'object') {
+      const result = {};
+      for (const [key, value] of Object.entries(input)) {
+        result[key] = this.escapeHTML(value);
       }
-    });
+      return result;
+    }
+
+    // Numbers, booleans, etc. — pass through unchanged
+    return input;
   }
 
   // Show notification
@@ -83,10 +105,17 @@ class Utilities {
     const $notification = document.createElement('div');
     $notification.className = `alert alert-${type} alert-dismissible fade show position-fixed`;
     $notification.style.cssText = 'z-index: 9999; top: 1rem; left: 50%; transform: translateX(-50%);';
-    $notification.innerHTML = `
-      ${text}
-      <button type="button" class="btn-close" data-bs-dismiss="alert"></button>
-    `;
+
+    const $text = document.createElement('span');
+    $text.textContent = text;
+
+    const $closeBtn = document.createElement('button');
+    $closeBtn.type = 'button';
+    $closeBtn.className = 'btn-close';
+    $closeBtn.setAttribute('data-bs-dismiss', 'alert');
+
+    $notification.appendChild($text);
+    $notification.appendChild($closeBtn);
 
     document.body.appendChild($notification);
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "web-manager",
-  "version": "4.1.35",
+  "version": "4.1.37",
   "description": "Easily access important variables such as the query string, current domain, and current page in a single object.",
   "main": "dist/index.js",
   "module": "src/index.js",
@@ -11,8 +11,7 @@
   },
   "scripts": {
     "start": "npm run prepare:watch",
-    "test": "./node_modules/mocha/bin/mocha test/ --recursive --timeout=10000",
-    "test_": "npm run prepare && ./node_modules/mocha/bin/mocha test/ --recursive --timeout=10000",
+    "test": "npm run prepare && mocha --require ./test/setup.js --require ./test/helpers.js 'test/tests/**/*.test.js' --timeout=10000 --exit",
     "prepare_": "node -e 'require(`prepare-package`)()'",
     "prepare": "node -e \"require('prepare-package')()\"",
     "prepare:watch": "node -e \"require('prepare-package/watch')()\""