npm - what-core - Versions diffs - 0.6.5 → 0.6.7 - Mend

what-core 0.6.5 → 0.6.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/hooks.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+// What Framework - Hooks Type Definitions
+import { Signal } from './index.js';
+export function useState<T>(initial: T | (() => T)): [Signal<T>, (value: T | ((prev: T) => T)) => void];
+export function useSignal<T>(initial: T): Signal<T>;
+export function useComputed<T>(fn: () => T): Signal<T>;
+export function useEffect(fn: () => void | (() => void), deps?: any[]): void;
+export function useMemo<T>(fn: () => T, deps?: any[]): T;
+export function useCallback<T extends (...args: any[]) => any>(fn: T, deps?: any[]): T;
+export function useRef<T>(initial?: T): { current: T };
+export function useContext<T>(context: { _defaultValue: T }): T;
+export function createContext<T>(defaultValue?: T): { _defaultValue: T; Provider: (props: { value: T; children: any }) => any };
+export function useReducer<S, A>(reducer: (state: S, action: A) => S, initialState: S, init?: (s: S) => S): [Signal<S>, (action: A) => void];
+export function onMount(fn: () => void | (() => void)): void;
+export function onCleanup(fn: () => void): void;
+export interface Resource<T> {
+  (): T | undefined;
+  loading: Signal<boolean>;
+  error: Signal<Error | null>;
+  refetch: () => void;
+  mutate: (value: T) => void;
+}
+export function createResource<T>(fetcher: () => Promise<T>, options?: { initialValue?: T }): Resource<T>;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "what-core",
-  "version": "0.6.5",
+  "version": "0.6.7",
   "description": "What Framework - The closest framework to vanilla JS",
   "type": "module",
   "main": "src/index.js",
@@ -33,6 +33,7 @@
       "import": "./src/testing.js"
     },
     "./hooks": {
+      "types": "./hooks.d.ts",
       "import": "./src/hooks.js"
     },
     "./compiler": {
@@ -53,6 +54,7 @@
     "jsx-runtime.d.ts",
     "render.d.ts",
     "testing.d.ts",
+    "hooks.d.ts",
     "compiler.d.ts",
     "devtools.d.ts"
   ],

package/src/dom.js CHANGED Viewed

@@ -5,6 +5,7 @@
 import { effect, batch, untrack, signal, __DEV__, __devtools } from './reactive.js';
 import { reportError, _injectGetCurrentComponent, shallowEqual } from './components.js';
 import { _setComponentRef } from './helpers.js';
+import { getDomAttributeName, isSafeUrlAttributeValue } from './security.js';
 // SVG elements that need namespace
 const SVG_ELEMENTS = new Set([
@@ -588,6 +589,14 @@ function applyProps(el, newProps, oldProps, isSvg) {
 }
 function setProp(el, key, value, isSvg) {
+  // Sanitize URL attributes before property assignment or setAttribute can commit them.
+  if (!isSafeUrlAttributeValue(key, value)) {
+    if (typeof console !== 'undefined') {
+      console.warn(`[what] Blocked unsafe URL in "${key}" attribute: ${value}`);
+    }
+    el.removeAttribute(getDomAttributeName(key));
+    return;
+  }
   // Reactive function props — wrap in effect for fine-grained updates
   if (typeof value === 'function' && !(key.startsWith('on') && key.length > 2) && key !== 'ref') {
     if (!el._propEffects) el._propEffects = {};

package/src/render.js CHANGED Viewed

@@ -5,6 +5,7 @@
 import { effect, untrack, createRoot, signal, __DEV__, __devtools } from './reactive.js';
 import { createDOM, disposeTree, getCurrentComponent, getComponentStack } from './dom.js';
 import { createWhatError, collectError } from './errors.js';
+import { getDomAttributeName, isSafeUrlAttributeValue } from './security.js';
 export { effect, untrack };
@@ -22,20 +23,6 @@ export function _$createComponent(Component, props, children) {
   return createDOM({ tag: Component, props: props || {}, children: children || [], key: null, _vnode: true });
 }
-// --- URL Sanitization for DOM attributes ---
-// Rejects javascript:, data:, vbscript: protocols (case-insensitive, trimmed).
-const URL_ATTRS = new Set(['href', 'src', 'action', 'formaction', 'formAction']);
-function isSafeUrl(url) {
-  if (typeof url !== 'string') return true; // non-string values are not URL-injection risks
-  const normalized = url.trim().replace(/[\s\x00-\x1f]/g, '').toLowerCase();
-  if (normalized.startsWith('javascript:')) return false;
-  if (normalized.startsWith('data:')) return false;
-  if (normalized.startsWith('vbscript:')) return false;
-  return true;
-}
 // --- template(html) ---
 // Pre-parse HTML string into a <template> element. Returns a factory function
 // that clones the DOM tree via cloneNode(true) — 2-5x faster than createElement chains.
@@ -870,13 +857,12 @@ export function setProp(el, key, value) {
   if (key === 'key') return;
   // Sanitize URL attributes — reject dangerous protocols
-  if (URL_ATTRS.has(key) || URL_ATTRS.has(key.toLowerCase())) {
-    if (!isSafeUrl(value)) {
-      if (typeof console !== 'undefined') {
-        console.warn(`[what] Blocked unsafe URL in "${key}" attribute: ${value}`);
-      }
-      return;
+  if (!isSafeUrlAttributeValue(key, value)) {
+    if (typeof console !== 'undefined') {
+      console.warn(`[what] Blocked unsafe URL in "${key}" attribute: ${value}`);
     }
+    el.removeAttribute(getDomAttributeName(key));
+    return;
   }
   if (key === 'class' || key === 'className') {

package/src/security.js ADDED Viewed

@@ -0,0 +1,63 @@
+// What Framework - DOM/SSR security helpers
+// Shared by runtime render paths to keep URL-attribute handling consistent.
+const URL_ATTRS = new Set([
+  'href',
+  'src',
+  'action',
+  'formaction',
+  'poster',
+  'cite',
+  'background',
+  'xlink:href',
+]);
+const URL_LIST_ATTRS = new Set(['srcset']);
+function normalizeAttrName(name) {
+  return String(name).toLowerCase();
+}
+function normalizeUrlForProtocolCheck(url) {
+  return String(url).trim().replace(/[\s\x00-\x1f\x7f]/g, '').toLowerCase();
+}
+export function isSafeUrlValue(value) {
+  if (typeof value !== 'string') return true;
+  const normalized = normalizeUrlForProtocolCheck(value);
+  return !(
+    normalized.startsWith('javascript:') ||
+    normalized.startsWith('data:') ||
+    normalized.startsWith('vbscript:')
+  );
+}
+function isSafeSrcsetValue(value) {
+  if (typeof value !== 'string') return true;
+  return value
+    .split(',')
+    .every(candidate => {
+      const url = candidate.trim().split(/\s+/, 1)[0] || '';
+      return url === '' || isSafeUrlValue(url);
+    });
+}
+export function isUrlAttribute(name) {
+  return URL_ATTRS.has(normalizeAttrName(name));
+}
+export function isUrlListAttribute(name) {
+  return URL_LIST_ATTRS.has(normalizeAttrName(name));
+}
+export function isSafeUrlAttributeValue(name, value) {
+  if (isUrlListAttribute(name)) return isSafeSrcsetValue(value);
+  if (isUrlAttribute(name)) return isSafeUrlValue(value);
+  return true;
+}
+export function getDomAttributeName(name) {
+  if (name === 'className') return 'class';
+  if (name === 'htmlFor') return 'for';
+  return normalizeAttrName(name) === 'formaction' ? 'formaction' : name;
+}