what-core 0.6.5 → 0.6.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/compiler.js +59 -15
- package/dist/compiler.js.map +3 -3
- package/dist/compiler.min.js +1 -1
- package/dist/compiler.min.js.map +4 -4
- package/dist/index.js +59 -15
- package/dist/index.js.map +3 -3
- package/dist/index.min.js +5 -5
- package/dist/index.min.js.map +4 -4
- package/dist/render.js +59 -15
- package/dist/render.js.map +3 -3
- package/dist/render.min.js +2 -2
- package/dist/render.min.js.map +4 -4
- package/dist/testing.js +54 -0
- package/dist/testing.js.map +3 -3
- package/dist/testing.min.js +1 -1
- package/dist/testing.min.js.map +4 -4
- package/hooks.d.ts +25 -0
- package/package.json +3 -1
- package/src/dom.js +9 -0
- package/src/render.js +6 -20
- package/src/security.js +63 -0
package/dist/testing.js
CHANGED
|
@@ -462,6 +462,53 @@ function _setComponentRef(fn) {
|
|
|
462
462
|
_getCurrentComponentRef = fn;
|
|
463
463
|
}
|
|
464
464
|
|
|
465
|
+
// packages/core/src/security.js
|
|
466
|
+
var URL_ATTRS = /* @__PURE__ */ new Set([
|
|
467
|
+
"href",
|
|
468
|
+
"src",
|
|
469
|
+
"action",
|
|
470
|
+
"formaction",
|
|
471
|
+
"poster",
|
|
472
|
+
"cite",
|
|
473
|
+
"background",
|
|
474
|
+
"xlink:href"
|
|
475
|
+
]);
|
|
476
|
+
var URL_LIST_ATTRS = /* @__PURE__ */ new Set(["srcset"]);
|
|
477
|
+
function normalizeAttrName(name) {
|
|
478
|
+
return String(name).toLowerCase();
|
|
479
|
+
}
|
|
480
|
+
function normalizeUrlForProtocolCheck(url) {
|
|
481
|
+
return String(url).trim().replace(/[\s\x00-\x1f\x7f]/g, "").toLowerCase();
|
|
482
|
+
}
|
|
483
|
+
function isSafeUrlValue(value) {
|
|
484
|
+
if (typeof value !== "string") return true;
|
|
485
|
+
const normalized = normalizeUrlForProtocolCheck(value);
|
|
486
|
+
return !(normalized.startsWith("javascript:") || normalized.startsWith("data:") || normalized.startsWith("vbscript:"));
|
|
487
|
+
}
|
|
488
|
+
function isSafeSrcsetValue(value) {
|
|
489
|
+
if (typeof value !== "string") return true;
|
|
490
|
+
return value.split(",").every((candidate) => {
|
|
491
|
+
const url = candidate.trim().split(/\s+/, 1)[0] || "";
|
|
492
|
+
return url === "" || isSafeUrlValue(url);
|
|
493
|
+
});
|
|
494
|
+
}
|
|
495
|
+
function isUrlAttribute(name) {
|
|
496
|
+
return URL_ATTRS.has(normalizeAttrName(name));
|
|
497
|
+
}
|
|
498
|
+
function isUrlListAttribute(name) {
|
|
499
|
+
return URL_LIST_ATTRS.has(normalizeAttrName(name));
|
|
500
|
+
}
|
|
501
|
+
function isSafeUrlAttributeValue(name, value) {
|
|
502
|
+
if (isUrlListAttribute(name)) return isSafeSrcsetValue(value);
|
|
503
|
+
if (isUrlAttribute(name)) return isSafeUrlValue(value);
|
|
504
|
+
return true;
|
|
505
|
+
}
|
|
506
|
+
function getDomAttributeName(name) {
|
|
507
|
+
if (name === "className") return "class";
|
|
508
|
+
if (name === "htmlFor") return "for";
|
|
509
|
+
return normalizeAttrName(name) === "formaction" ? "formaction" : name;
|
|
510
|
+
}
|
|
511
|
+
|
|
465
512
|
// packages/core/src/dom.js
|
|
466
513
|
var SVG_ELEMENTS = /* @__PURE__ */ new Set([
|
|
467
514
|
"svg",
|
|
@@ -949,6 +996,13 @@ function applyProps(el, newProps, oldProps, isSvg) {
|
|
|
949
996
|
}
|
|
950
997
|
}
|
|
951
998
|
function setProp(el, key, value, isSvg) {
|
|
999
|
+
if (!isSafeUrlAttributeValue(key, value)) {
|
|
1000
|
+
if (typeof console !== "undefined") {
|
|
1001
|
+
console.warn(`[what] Blocked unsafe URL in "${key}" attribute: ${value}`);
|
|
1002
|
+
}
|
|
1003
|
+
el.removeAttribute(getDomAttributeName(key));
|
|
1004
|
+
return;
|
|
1005
|
+
}
|
|
952
1006
|
if (typeof value === "function" && !(key.startsWith("on") && key.length > 2) && key !== "ref") {
|
|
953
1007
|
if (!el._propEffects) el._propEffects = {};
|
|
954
1008
|
if (el._propEffects[key]) {
|