web-manager 4.1.37 → 4.1.38
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/CLAUDE.md +8 -2
- package/dist/modules/utilities.js +20 -0
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -15,6 +15,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
|
|
15
15
|
- `Security` in case of vulnerabilities.
|
|
16
16
|
|
|
17
17
|
---
|
|
18
|
+
## [4.1.38] - 2026-04-08
|
|
19
|
+
### Added
|
|
20
|
+
- Added `sanitizeURL()` utility method that validates URLs against dangerous URI schemes (javascript:, data:, etc.), allowing only http: and https: protocols.
|
|
21
|
+
|
|
18
22
|
## [4.1.37] - 2026-04-05
|
|
19
23
|
### Added
|
|
20
24
|
- Added `_resolveUsage()` to auth module that merges account usage data with plan limits from config, exposed as a top-level `usage` binding context.
|
package/CLAUDE.md
CHANGED
|
@@ -152,7 +152,8 @@ document.body.addEventListener('click', (e) => {
|
|
|
152
152
|
### Auth (`auth.js`)
|
|
153
153
|
- **Class**: `Auth`
|
|
154
154
|
- **Key Methods**: `listen(options, callback)`, `isAuthenticated()`, `getUser()`, `signInWithEmailAndPassword()`, `signOut()`, `getIdToken()`, `resolveSubscription(account?)`
|
|
155
|
-
- **Bindings**: Updates `auth
|
|
155
|
+
- **Bindings**: Updates `auth` and `usage` context on auth settle
|
|
156
|
+
- **Usage Resolution**: `_resolveUsage(state)` merges `account.usage` (Firestore) with plan limits from `config.payment.plans` to produce the `usage` bindings key (e.g., `{ credits: { monthly: 5, limit: 100 } }`)
|
|
156
157
|
|
|
157
158
|
#### resolveSubscription(account?)
|
|
158
159
|
Derives calculated subscription fields from raw account data. Returns only fields that require derivation logic — raw data (product.id, status, trial, cancellation) lives on `account.subscription` directly.
|
|
@@ -268,9 +269,14 @@ Current test coverage is minimal - focuses on configuration and storage.
|
|
|
268
269
|
|
|
269
270
|
### Modifying Configuration Defaults
|
|
270
271
|
1. Edit `_processConfiguration()` in `src/index.js`
|
|
271
|
-
2. Add to `defaults` object
|
|
272
|
+
2. Add to `defaults` object (e.g., `payment: { processors: {}, plans: [] }`)
|
|
272
273
|
3. Document in README.md Configuration section
|
|
273
274
|
|
|
275
|
+
### Payment Configuration
|
|
276
|
+
Payment config is set in `_config.yml` under `web_manager.payment` and includes:
|
|
277
|
+
- `processors`: Stripe, PayPal, etc. (publishable keys)
|
|
278
|
+
- `plans`: Array of `{ id, limits: { feature: N } }` used to resolve usage limits on the frontend
|
|
279
|
+
|
|
274
280
|
### Adding a Data Binding Action
|
|
275
281
|
1. Edit `_executeAction()` in `src/modules/bindings.js`
|
|
276
282
|
2. Add case for new action (e.g., `@class`)
|
|
@@ -81,6 +81,26 @@ class Utilities {
|
|
|
81
81
|
return input;
|
|
82
82
|
}
|
|
83
83
|
|
|
84
|
+
// Sanitize URL to prevent javascript:, data:, and other dangerous URI schemes
|
|
85
|
+
// Returns the original URL if safe, or '' if rejected
|
|
86
|
+
sanitizeURL(url) {
|
|
87
|
+
if (!url || typeof url !== 'string') {
|
|
88
|
+
return '';
|
|
89
|
+
}
|
|
90
|
+
|
|
91
|
+
try {
|
|
92
|
+
const parsed = new URL(url, window.location.origin);
|
|
93
|
+
|
|
94
|
+
if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
|
|
95
|
+
return '';
|
|
96
|
+
}
|
|
97
|
+
|
|
98
|
+
return url;
|
|
99
|
+
} catch (e) {
|
|
100
|
+
return '';
|
|
101
|
+
}
|
|
102
|
+
}
|
|
103
|
+
|
|
84
104
|
// Show notification
|
|
85
105
|
showNotification(message, options = {}) {
|
|
86
106
|
// Handle different input types
|
package/package.json
CHANGED