| | |
|---|
| | | /*! |
|---|
| | | * shared v9.14.5 |
|---|
| | | * shared v9.14.4 |
|---|
| | | * (c) 2025 kazuya kawaguchi |
|---|
| | | * Released under the MIT License. |
|---|
| | | */ |
|---|
| | | function warn(msg, err) { |
|---|
| | | if (typeof console !== 'undefined') { |
|---|
| | | console.warn(`[intlify] ` + msg); |
|---|
| | | /* istanbul ignore if */ |
|---|
| | | if (err) { |
|---|
| | | console.warn(err.stack); |
|---|
| | | } |
|---|
| | | } |
|---|
| | | } |
|---|
| | | const hasWarned = {}; |
|---|
| | | function warnOnce(msg) { |
|---|
| | | if (!hasWarned[msg]) { |
|---|
| | | hasWarned[msg] = true; |
|---|
| | | warn(msg); |
|---|
| | | } |
|---|
| | | } |
|---|
| | | |
|---|
| | | /** |
|---|
| | | * Original Utilities |
|---|
| | | * written by kazuya kawaguchi |
|---|
| | |
|---|
| | | }; |
|---|
| | | function escapeHtml(rawText) { |
|---|
| | | return rawText |
|---|
| | | .replace(/&/g, '&') // escape `&` first to avoid double escaping |
|---|
| | | .replace(/</g, '<') |
|---|
| | | .replace(/>/g, '>') |
|---|
| | | .replace(/"/g, '"') |
|---|
| | | .replace(/'/g, ''') |
|---|
| | | .replace(/\//g, '/') // escape `/` to prevent closing tags or JavaScript URLs |
|---|
| | | .replace(/=/g, '='); // escape `=` to prevent attribute injection |
|---|
| | | } |
|---|
| | | function escapeAttributeValue(value) { |
|---|
| | | return value |
|---|
| | | .replace(/&(?![a-zA-Z0-9#]{2,6};)/g, '&') // escape unescaped `&` |
|---|
| | | .replace(/"/g, '"') |
|---|
| | | .replace(/'/g, ''') |
|---|
| | | .replace(/</g, '<') |
|---|
| | | .replace(/>/g, '>'); |
|---|
| | | } |
|---|
| | | function sanitizeTranslatedHtml(html) { |
|---|
| | | // Escape dangerous characters in attribute values |
|---|
| | | // Process attributes with double quotes |
|---|
| | | html = html.replace(/(\w+)\s*=\s*"([^"]*)"/g, (_, attrName, attrValue) => `${attrName}="${escapeAttributeValue(attrValue)}"`); |
|---|
| | | // Process attributes with single quotes |
|---|
| | | html = html.replace(/(\w+)\s*=\s*'([^']*)'/g, (_, attrName, attrValue) => `${attrName}='${escapeAttributeValue(attrValue)}'`); |
|---|
| | | // Detect and neutralize event handler attributes |
|---|
| | | const eventHandlerPattern = /\s*on\w+\s*=\s*["']?[^"'>]+["']?/gi; |
|---|
| | | if (eventHandlerPattern.test(html)) { |
|---|
| | | { |
|---|
| | | warn('Potentially dangerous event handlers detected in translation. ' + |
|---|
| | | 'Consider removing onclick, onerror, etc. from your translation messages.'); |
|---|
| | | } |
|---|
| | | // Neutralize event handler attributes by escaping 'on' |
|---|
| | | html = html.replace(/(\s+)(on)(\w+\s*=)/gi, '$1on$3'); |
|---|
| | | } |
|---|
| | | // Disable javascript: URLs in various contexts |
|---|
| | | const javascriptUrlPattern = [ |
|---|
| | | // In href, src, action, formaction attributes |
|---|
| | | /(\s+(?:href|src|action|formaction)\s*=\s*["']?)\s*javascript:/gi, |
|---|
| | | // In style attributes within url() |
|---|
| | | /(style\s*=\s*["'][^"']*url\s*\(\s*)javascript:/gi |
|---|
| | | ]; |
|---|
| | | javascriptUrlPattern.forEach(pattern => { |
|---|
| | | html = html.replace(pattern, '$1javascript:'); |
|---|
| | | }); |
|---|
| | | return html; |
|---|
| | | .replace(/'/g, '''); |
|---|
| | | } |
|---|
| | | const hasOwnProperty = Object.prototype.hasOwnProperty; |
|---|
| | | function hasOwn(obj, key) { |
|---|
| | |
|---|
| | | return () => ++current; |
|---|
| | | } |
|---|
| | | |
|---|
| | | function warn(msg, err) { |
|---|
| | | if (typeof console !== 'undefined') { |
|---|
| | | console.warn(`[intlify] ` + msg); |
|---|
| | | /* istanbul ignore if */ |
|---|
| | | if (err) { |
|---|
| | | console.warn(err.stack); |
|---|
| | | } |
|---|
| | | } |
|---|
| | | } |
|---|
| | | const hasWarned = {}; |
|---|
| | | function warnOnce(msg) { |
|---|
| | | if (!hasWarned[msg]) { |
|---|
| | | hasWarned[msg] = true; |
|---|
| | | warn(msg); |
|---|
| | | } |
|---|
| | | } |
|---|
| | | |
|---|
| | | /** |
|---|
| | | * Event emitter, forked from the below: |
|---|
| | | * - original repository url: https://github.com/developit/mitt |
|---|
| | |
|---|
| | | } |
|---|
| | | } |
|---|
| | | |
|---|
| | | export { assign, create, createEmitter, deepCopy, escapeHtml, format, friendlyJSONstringify, generateCodeFrame, generateFormatCacheKey, getGlobalThis, hasOwn, inBrowser, incrementer, isArray, isBoolean, isDate, isEmptyObject, isFunction, isNumber, isObject, isPlainObject, isPromise, isRegExp, isString, isSymbol, join, makeSymbol, mark, measure, objectToString, sanitizeTranslatedHtml, toDisplayString, toTypeString, warn, warnOnce }; |
|---|
| | | export { assign, create, createEmitter, deepCopy, escapeHtml, format, friendlyJSONstringify, generateCodeFrame, generateFormatCacheKey, getGlobalThis, hasOwn, inBrowser, incrementer, isArray, isBoolean, isDate, isEmptyObject, isFunction, isNumber, isObject, isPlainObject, isPromise, isRegExp, isString, isSymbol, join, makeSymbol, mark, measure, objectToString, toDisplayString, toTypeString, warn, warnOnce }; |
|---|
