UNPKG

fast-xml-parser

Version:

Validate XML, Parse XML, Build XML without C/C++ based libraries

github.com/NaturalIntelligence/fast-xml-parser

NaturalIntelligence/fast-xml-parser

1 lines 62.3 kB
1
!function(t,e){"object"==typeof exports&&"object"==typeof module?module.exports=e():"function"==typeof define&&define.amd?define([],e):"object"==typeof exports?exports.XMLParser=e():t.XMLParser=e()}(this,()=>(()=>{"use strict";var t={d:(e,r)=>{for(var i in r)t.o(r,i)&&!t.o(e,i)&&Object.defineProperty(e,i,{enumerable:!0,get:r[i]})},o:(t,e)=>Object.prototype.hasOwnProperty.call(t,e),r:t=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(t,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(t,"__esModule",{value:!0})}},e={};t.r(e),t.d(e,{default:()=>Qt});var r=":A-Za-z_\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD",i=new RegExp("^["+r+"]["+r+"\\-.\\d\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$");function n(t,e){for(var r=[],i=e.exec(t);i;){var n=[];n.startIndex=e.lastIndex-i[0].length;for(var a=i.length,s=0;s<a;s++)n.push(i[s]);r.push(n),i=e.exec(t)}return r}var a=function(t){return!(null==i.exec(t))},s=["hasOwnProperty","toString","valueOf","__defineGetter__","__defineSetter__","__lookupGetter__","__lookupSetter__"],o=["__proto__","constructor","prototype"],l=function(t){return s.includes(t)?"__"+t:t},c={preserveOrder:!1,attributeNamePrefix:"@_",attributesGroupName:!1,textNodeName:"#text",ignoreAttributes:!0,removeNSPrefix:!1,allowBooleanAttributes:!1,parseTagValue:!0,parseAttributeValue:!1,trimValues:!0,cdataPropName:!1,numberParseOptions:{hex:!0,leadingZeros:!0,eNotation:!0,unicode:!1},tagValueProcessor:function(t,e){return e},attributeValueProcessor:function(t,e){return e},stopNodes:[],alwaysCreateTextNode:!1,isArray:function(){return!1},commentPropName:!1,unpairedTags:[],processEntities:!0,htmlEntities:!1,entityDecoder:null,ignoreDeclaration:!1,ignorePiTags:!1,transformTagName:!1,transformAttributeName:!1,updateTag:function(t,e,r){return t},captureMetaData:!1,maxNestedTags:100,strictReservedNames:!0,jPath:!0,onDangerousProperty:l};function p(t,e){if("string"==typeof t){var r=t.toLowerCase();if(s.some(function(t){return r===t.toLowerCase()}))throw new Error("[SECURITY] Invalid "+e+': "'+t+'" is a reserved JavaScript keyword that could cause prototype pollution');if(o.some(function(t){return r===t.toLowerCase()}))throw new Error("[SECURITY] Invalid "+e+': "'+t+'" is a reserved JavaScript keyword that could cause prototype pollution')}}function d(t,e){return"boolean"==typeof t?{enabled:t,maxEntitySize:1e4,maxExpansionDepth:1e4,maxTotalExpansions:1/0,maxExpandedLength:1e5,maxEntityCount:1e3,allowedTags:null,tagFilter:null,appliesTo:"all"}:"object"==typeof t&&null!==t?{enabled:!1!==t.enabled,maxEntitySize:Math.max(1,null!=(r=t.maxEntitySize)?r:1e4),maxExpansionDepth:Math.max(1,null!=(i=t.maxExpansionDepth)?i:1e4),maxTotalExpansions:Math.max(1,null!=(n=t.maxTotalExpansions)?n:1/0),maxExpandedLength:Math.max(1,null!=(a=t.maxExpandedLength)?a:1e5),maxEntityCount:Math.max(1,null!=(s=t.maxEntityCount)?s:1e3),allowedTags:null!=(o=t.allowedTags)?o:null,tagFilter:null!=(l=t.tagFilter)?l:null,appliesTo:null!=(c=t.appliesTo)?c:"all"}:d(!0);var r,i,n,a,s,o,l,c}var h,u=function(t){for(var e=Object.assign({},c,t),r=0,i=[{value:e.attributeNamePrefix,name:"attributeNamePrefix"},{value:e.attributesGroupName,name:"attributesGroupName"},{value:e.textNodeName,name:"textNodeName"},{value:e.cdataPropName,name:"cdataPropName"},{value:e.commentPropName,name:"commentPropName"}];r<i.length;r++){var n=i[r],a=n.value,s=n.name;a&&p(a,s)}return null===e.onDangerousProperty&&(e.onDangerousProperty=l),e.processEntities=d(e.processEntities,e.htmlEntities),e.unpairedTagsSet=new Set(e.unpairedTags),e.stopNodes&&Array.isArray(e.stopNodes)&&(e.stopNodes=e.stopNodes.map(function(t){return"string"==typeof t&&t.startsWith("*.")?".."+t.substring(2):t})),e};h="function"!=typeof Symbol?"@@xmlMetadata":Symbol("XML Node Metadata");var f=function(){function t(t){this.tagname=t,this.child=[],this[":@"]=Object.create(null)}var e=t.prototype;return e.add=function(t,e){var r;"__proto__"===t&&(t="#__proto__"),this.child.push(((r={})[t]=e,r))},e.addChild=function(t,e){var r,i;"__proto__"===t.tagname&&(t.tagname="#__proto__"),t[":@"]&&Object.keys(t[":@"]).length>0?this.child.push(((r={})[t.tagname]=t.child,r[":@"]=t[":@"],r)):this.child.push(((i={})[t.tagname]=t.child,i)),void 0!==e&&(this.child[this.child.length-1][h]={startIndex:e})},t.getMetaDataSymbol=function(){return h},t}();const g=":A-Za-z_À-ÖØ-öø-˿Ͱ-ͽͿ-҆҈-῿‌-‍⁰-↏Ⰰ-⿯、-퟿豈-﷏ﷰ-�",m=":A-Za-z_À-˿Ͱ-ͽͿ-҆҈-῿‌-‍⁰-↏Ⰰ-⿯、-퟿豈-﷏ﷰ-�𐀀-󯿿",v=m+"\\-\\.\\d·̀-ͯ҇‿-⁀",x=(t,e,r="")=>{const i=`[${t.replace(":","")}][${e.replace(":","")}]*`;return{name:new RegExp(`^[${t}][${e}]*$`,r),ncName:new RegExp(`^${i}$`,r),qName:new RegExp(`^${i}(?::${i})?$`,r),nmToken:new RegExp(`^[${e}]+$`,r),nmTokens:new RegExp(`^[${e}]+(?:\\s+[${e}]+)*$`,r)}},b=x(g,g+"\\-\\.\\d·̀-ͯ‿-⁀"),y=x(m,v,"u"),E=(t,{xmlVersion:e="1.0"}={})=>((t="1.0")=>"1.1"===t?y:b)(e).qName.test(t);var w=function(){function t(t,e){this.suppressValidationErr=!t,this.options=t,this.xmlVersion=e||1}var e=t.prototype;return e.setXmlVersion=function(t){void 0===t&&(t=1),this.xmlVersion=t},e.readDocType=function(t,e){var r=Object.create(null),i=0;if("O"!==t[e+3]||"C"!==t[e+4]||"T"!==t[e+5]||"Y"!==t[e+6]||"P"!==t[e+7]||"E"!==t[e+8])throw new Error("Invalid Tag instead of DOCTYPE");e+=9;for(var n=1,a=!1,s=!1;e<t.length;e++)if("<"!==t[e]||s)if(">"===t[e]){if(s?"-"===t[e-1]&&"-"===t[e-2]&&(s=!1,n--):n--,0===n)break}else"["===t[e]?a=!0:t[e];else{if(a&&N(t,"!ENTITY",e)){e+=7;var o,l=void 0,c=this.readEntityExp(t,e+1,this.suppressValidationErr);if(o=c[0],l=c[1],e=c[2],-1===l.indexOf("&")){if(!1!==this.options.enabled&&null!=this.options.maxEntityCount&&i>=this.options.maxEntityCount)throw new Error("Entity count ("+(i+1)+") exceeds maximum allowed ("+this.options.maxEntityCount+")");r[o]=l,i++}}else if(a&&N(t,"!ELEMENT",e))e+=8,e=this.readElementExp(t,e+1).index;else if(a&&N(t,"!ATTLIST",e))e+=8;else if(a&&N(t,"!NOTATION",e))e+=9,e=this.readNotationExp(t,e+1,this.suppressValidationErr).index;else{if(!N(t,"!--",e))throw new Error("Invalid DOCTYPE");s=!0}n++}if(0!==n)throw new Error("Unclosed DOCTYPE");return{entities:r,i:e}},e.readEntityExp=function(t,e){for(var r=e=S(t,e);e<t.length&&!/\s/.test(t[e])&&'"'!==t[e]&&"'"!==t[e];)e++;var i=t.substring(r,e);if(_(i,{xmlVersion:this.xmlVersion}),e=S(t,e),!this.suppressValidationErr){if("SYSTEM"===t.substring(e,e+6).toUpperCase())throw new Error("External entities are not supported");if("%"===t[e])throw new Error("Parameter entities are not supported")}var n,a=this.readIdentifierVal(t,e,"entity");if(e=a[0],n=a[1],!1!==this.options.enabled&&null!=this.options.maxEntitySize&&n.length>this.options.maxEntitySize)throw new Error('Entity "'+i+'" size ('+n.length+") exceeds maximum allowed size ("+this.options.maxEntitySize+")");return[i,n,--e]},e.readNotationExp=function(t,e){for(var r=e=S(t,e);e<t.length&&!/\s/.test(t[e]);)e++;var i=t.substring(r,e);!this.suppressValidationErr&&_(i,{xmlVersion:this.xmlVersion}),e=S(t,e);var n=t.substring(e,e+6).toUpperCase();if(!this.suppressValidationErr&&"SYSTEM"!==n&&"PUBLIC"!==n)throw new Error('Expected SYSTEM or PUBLIC, found "'+n+'"');e+=n.length,e=S(t,e);var a=null,s=null;if("PUBLIC"===n){var o=this.readIdentifierVal(t,e,"publicIdentifier");if(e=o[0],a=o[1],'"'===t[e=S(t,e)]||"'"===t[e]){var l=this.readIdentifierVal(t,e,"systemIdentifier");e=l[0],s=l[1]}}else if("SYSTEM"===n){var c=this.readIdentifierVal(t,e,"systemIdentifier");if(e=c[0],s=c[1],!this.suppressValidationErr&&!s)throw new Error("Missing mandatory system identifier for SYSTEM notation")}return{notationName:i,publicIdentifier:a,systemIdentifier:s,index:--e}},e.readIdentifierVal=function(t,e,r){var i,n=t[e];if('"'!==n&&"'"!==n)throw new Error('Expected quoted string, found "'+n+'"');for(var a=++e;e<t.length&&t[e]!==n;)e++;if(i=t.substring(a,e),t[e]!==n)throw new Error("Unterminated "+r+" value");return[++e,i]},e.readElementExp=function(t,e){for(var r=e=S(t,e);e<t.length&&!/\s/.test(t[e]);)e++;var i=t.substring(r,e);if(!this.suppressValidationErr&&!E(i,{xmlVersion:this.xmlVersion}))throw new Error('Invalid element name: "'+i+'"');var n="";if("E"===t[e=S(t,e)]&&N(t,"MPTY",e))e+=4;else if("A"===t[e]&&N(t,"NY",e))e+=2;else if("("===t[e]){for(var a=++e;e<t.length&&")"!==t[e];)e++;if(n=t.substring(a,e),")"!==t[e])throw new Error("Unterminated content model")}else if(!this.suppressValidationErr)throw new Error('Invalid Element Expression, found "'+t[e]+'"');return{elementName:i,contentModel:n.trim(),index:e}},e.readAttlistExp=function(t,e){for(var r=e=S(t,e);e<t.length&&!/\s/.test(t[e]);)e++;var i=t.substring(r,e);for(_(i,{xmlVersion:this.xmlVersion}),r=e=S(t,e);e<t.length&&!/\s/.test(t[e]);)e++;var n=t.substring(r,e);if(!_(n,{xmlVersion:this.xmlVersion}))throw new Error('Invalid attribute name: "'+n+'"');e=S(t,e);var a="";if("NOTATION"===t.substring(e,e+8).toUpperCase()){if(a="NOTATION","("!==t[e=S(t,e+=8)])throw new Error("Expected '(', found \""+t[e]+'"');e++;for(var s=[];e<t.length&&")"!==t[e];){for(var o=e;e<t.length&&"|"!==t[e]&&")"!==t[e];)e++;var l=t.substring(o,e);if(!_(l=l.trim(),{xmlVersion:this.xmlVersion}))throw new Error('Invalid notation name: "'+l+'"');s.push(l),"|"===t[e]&&(e++,e=S(t,e))}if(")"!==t[e])throw new Error("Unterminated list of notations");e++,a+=" ("+s.join("|")+")"}else{for(var c=e;e<t.length&&!/\s/.test(t[e]);)e++;if(a+=t.substring(c,e),!this.suppressValidationErr&&!["CDATA","ID","IDREF","IDREFS","ENTITY","ENTITIES","NMTOKEN","NMTOKENS"].includes(a.toUpperCase()))throw new Error('Invalid attribute type: "'+a+'"')}e=S(t,e);var p="";if("#REQUIRED"===t.substring(e,e+8).toUpperCase())p="#REQUIRED",e+=8;else if("#IMPLIED"===t.substring(e,e+7).toUpperCase())p="#IMPLIED",e+=7;else{var d=this.readIdentifierVal(t,e,"ATTLIST");e=d[0],p=d[1]}return{elementName:i,attributeName:n,attributeType:a,defaultValue:p,index:e}},t}(),S=function(t,e){for(;e<t.length&&/\s/.test(t[e]);)e++;return e};function N(t,e,r){for(var i=0;i<e.length;i++)if(e[i]!==t[r+i+1])return!1;return!0}function _(t,e){if(E(t,{xmlVersion:e}))return t;throw new Error("Invalid entity name "+t)}const T=[48,1632,1776,2406,2534,2662,2790,2918,3046,3174,3302,3430,3558,3664,3792,3872,4160,4240,6112,6160,6470,6608,6784,6800,6992,7088,7232,7248,65296,120782,120792,120802,120812,120822,66720,68912,69734,69872,69942,70096,70384,70736,70864,71248,71360,71472,71904,72016,72688,72784,73040,73120,73552,92768,92864,93008,123200,123632,124144,125264,130032],A=new Map,C=1632,I=new Uint8Array(63904).fill(255);for(const t of T)for(let e=0;e<10;e++){const r=t+e;r<=65535?I[r-C]=e:A.set(r,e)}const j=new Set([8722,65293,65123]),O=/^[-+]?0x[a-fA-F0-9]+$/,k=/^0b[01]+$/,D=/^0o[0-7]+$/,L=/^([\-\+])?(0*)([0-9]*(\.[0-9]*)?)$/,$={hex:!0,binary:!1,octal:!1,leadingZeros:!0,decimalPoint:".",eNotation:!0,infinity:"original",unicode:!1};function P(t,e={}){if(e=Object.assign({},$,e),!t||"string"!=typeof t)return t;let r=t.trim();if(0===r.length)return t;if(void 0!==e.skipLike&&e.skipLike.test(r))return t;if("0"===r)return 0;if(e.unicode&&(r=function(t){if("string"!=typeof t)return t;const e=t.length;if(0===e)return t;let r=-1;for(let i=0;i<e;i++){const n=t.charCodeAt(i);if(!(n>=48&&n<=57||45===n))if(n<C){if(j.has(n)){r=i;break}}else if(n>=55296&&n<=56319){if(i+1<e){const e=t.charCodeAt(i+1);if(e>=56320&&e<=57343){const t=65536+(n-55296<<10)+(e-56320);if(A.has(t)){r=i;break}}}}else if(255!==I[n-C]||j.has(n)){r=i;break}}if(-1===r)return t;const i=[];r>0&&i.push(t.slice(0,r));for(let n=r;n<e;n++){const r=t.charCodeAt(n);if(r>=48&&r<=57||45===r){i.push(t[n]);continue}if(r<C){i.push(j.has(r)?"-":t[n]);continue}if(r>=55296&&r<=56319){if(n+1<e){const e=t.charCodeAt(n+1);if(e>=56320&&e<=57343){const t=65536+(r-55296<<10)+(e-56320),a=A.get(t);if(void 0!==a){i.push(String.fromCharCode(a+48)),n++;continue}}}i.push(t[n]);continue}if(j.has(r)){i.push("-");continue}const a=I[r-C];i.push(255!==a?String.fromCharCode(a+48):t[n])}return i.join("")}(r),"0"===r))return 0;if(e.hex&&O.test(r))return R(r,16);if(e.binary&&k.test(r))return R(r,2);if(e.octal&&D.test(r))return R(r,8);if(isFinite(r)){if(r.includes("e")||r.includes("E"))return function(t,e,r){if(!r.eNotation)return t;const i=e.match(M);if(i){let n=i[1]||"";const a=-1===i[3].indexOf("e")?"E":"e",s=i[2],o=n?t[s.length+1]===a:t[s.length]===a;return s.length>1&&o?t:(1!==s.length||!i[3].startsWith(`.${a}`)&&i[3][0]!==a)&&s.length>0?r.leadingZeros&&!o?(e=(i[1]||"")+i[3],Number(e)):t:Number(e)}return t}(t,r,e);{const n=L.exec(r);if(n){const a=n[1]||"",s=n[2];let o=(i=n[3])&&-1!==i.indexOf(".")?("."===(i=i.replace(/0+$/,""))?i="0":"."===i[0]?i="0"+i:"."===i[i.length-1]&&(i=i.substring(0,i.length-1)),i):i;const l=a?"."===t[s.length+1]:"."===t[s.length];if(!e.leadingZeros&&(s.length>1||1===s.length&&!l))return t;{const i=Number(r),n=String(i);if(0===i)return i;if(-1!==n.search(/[eE]/))return e.eNotation?i:t;if(-1!==r.indexOf("."))return"0"===n||n===o||n===`${a}${o}`?i:t;let l=s?o:r;return s?l===n||a+l===n?i:t:l===n||l===a+n?i:t}}return t}}var i;return function(t,e,r){const i=e===1/0;switch(r.infinity.toLowerCase()){case"null":return null;case"infinity":return e;case"string":return i?"Infinity":"-Infinity";default:return t}}(t,Number(r),e)}const M=/^([-+])?(0*)(\d*(\.\d*)?[eE][-\+]?\d+)$/;function R(t,e){const r=t.trim();if(2!==e&&8!==e||(t=r.substring(2)),parseInt)return parseInt(t,e);if(Number.parseInt)return Number.parseInt(t,e);if(window&&window.parseInt)return window.parseInt(t,e);throw new Error("parseInt, Number.parseInt, window.parseInt are not supported")}function V(t,e){(null==e||e>t.length)&&(e=t.length);for(var r=0,i=Array(e);r<e;r++)i[r]=t[r];return i}class q{constructor(t){this._matcher=t}get separator(){return this._matcher.separator}getCurrentTag(){const t=this._matcher.path;return t.length>0?t[t.length-1].tag:void 0}getCurrentNamespace(){const t=this._matcher.path;return t.length>0?t[t.length-1].namespace:void 0}getAttrValue(t){const e=this._matcher.path;if(0!==e.length)return e[e.length-1].values?.[t]}hasAttr(t){const e=this._matcher.path;if(0===e.length)return!1;const r=e[e.length-1];return void 0!==r.values&&t in r.values}getPosition(){const t=this._matcher.path;return 0===t.length?-1:t[t.length-1].position??0}getCounter(){const t=this._matcher.path;return 0===t.length?-1:t[t.length-1].counter??0}getIndex(){return this.getPosition()}getDepth(){return this._matcher.path.length}toString(t,e=!0){return this._matcher.toString(t,e)}toArray(){return this._matcher.path.map(t=>t.tag)}matches(t){return this._matcher.matches(t)}matchesAny(t){return t.matchesAny(this._matcher)}}class U{constructor(t={}){this.separator=t.separator||".",this.path=[],this.siblingStacks=[],this._pathStringCache=null,this._view=new q(this)}push(t,e=null,r=null){this._pathStringCache=null,this.path.length>0&&(this.path[this.path.length-1].values=void 0);const i=this.path.length;this.siblingStacks[i]||(this.siblingStacks[i]=new Map);const n=this.siblingStacks[i],a=r?`${r}:${t}`:t,s=n.get(a)||0;let o=0;for(const t of n.values())o+=t;n.set(a,s+1);const l={tag:t,position:o,counter:s};null!=r&&(l.namespace=r),null!=e&&(l.values=e),this.path.push(l)}pop(){if(0===this.path.length)return;this._pathStringCache=null;const t=this.path.pop();return this.siblingStacks.length>this.path.length+1&&(this.siblingStacks.length=this.path.length+1),t}updateCurrent(t){if(this.path.length>0){const e=this.path[this.path.length-1];null!=t&&(e.values=t)}}getCurrentTag(){return this.path.length>0?this.path[this.path.length-1].tag:void 0}getCurrentNamespace(){return this.path.length>0?this.path[this.path.length-1].namespace:void 0}getAttrValue(t){if(0!==this.path.length)return this.path[this.path.length-1].values?.[t]}hasAttr(t){if(0===this.path.length)return!1;const e=this.path[this.path.length-1];return void 0!==e.values&&t in e.values}getPosition(){return 0===this.path.length?-1:this.path[this.path.length-1].position??0}getCounter(){return 0===this.path.length?-1:this.path[this.path.length-1].counter??0}getIndex(){return this.getPosition()}getDepth(){return this.path.length}toString(t,e=!0){const r=t||this.separator;if(r===this.separator&&!0===e){if(null!==this._pathStringCache)return this._pathStringCache;const t=this.path.map(t=>t.namespace?`${t.namespace}:${t.tag}`:t.tag).join(r);return this._pathStringCache=t,t}return this.path.map(t=>e&&t.namespace?`${t.namespace}:${t.tag}`:t.tag).join(r)}toArray(){return this.path.map(t=>t.tag)}reset(){this._pathStringCache=null,this.path=[],this.siblingStacks=[]}matches(t){const e=t.segments;return 0!==e.length&&(t.hasDeepWildcard()?this._matchWithDeepWildcard(e):this._matchSimple(e))}_matchSimple(t){if(this.path.length!==t.length)return!1;for(let e=0;e<t.length;e++)if(!this._matchSegment(t[e],this.path[e],e===this.path.length-1))return!1;return!0}_matchWithDeepWildcard(t){let e=this.path.length-1,r=t.length-1;for(;r>=0&&e>=0;){const i=t[r];if("deep-wildcard"===i.type){if(r--,r<0)return!0;const i=t[r];let n=!1;for(let t=e;t>=0;t--)if(this._matchSegment(i,this.path[t],t===this.path.length-1)){e=t-1,r--,n=!0;break}if(!n)return!1}else{if(!this._matchSegment(i,this.path[e],e===this.path.length-1))return!1;e--,r--}}return r<0}_matchSegment(t,e,r){if("*"!==t.tag&&t.tag!==e.tag)return!1;if(void 0!==t.namespace&&"*"!==t.namespace&&t.namespace!==e.namespace)return!1;if(void 0!==t.attrName){if(!r)return!1;if(!e.values||!(t.attrName in e.values))return!1;if(void 0!==t.attrValue&&String(e.values[t.attrName])!==String(t.attrValue))return!1}if(void 0!==t.position){if(!r)return!1;const i=e.counter??0;if("first"===t.position&&0!==i)return!1;if("odd"===t.position&&i%2!=1)return!1;if("even"===t.position&&i%2!=0)return!1;if("nth"===t.position&&i!==t.positionValue)return!1}return!0}matchesAny(t){return t.matchesAny(this)}snapshot(){return{path:this.path.map(t=>({...t})),siblingStacks:this.siblingStacks.map(t=>new Map(t))}}restore(t){this._pathStringCache=null,this.path=t.path.map(t=>({...t})),this.siblingStacks=t.siblingStacks.map(t=>new Map(t))}readOnly(){return this._view}}class F{constructor(t,e={},r){this.pattern=t,this.separator=e.separator||".",this.segments=this._parse(t),this.data=r,this._hasDeepWildcard=this.segments.some(t=>"deep-wildcard"===t.type),this._hasAttributeCondition=this.segments.some(t=>void 0!==t.attrName),this._hasPositionSelector=this.segments.some(t=>void 0!==t.position)}_parse(t){const e=[];let r=0,i="";for(;r<t.length;)t[r]===this.separator?r+1<t.length&&t[r+1]===this.separator?(i.trim()&&(e.push(this._parseSegment(i.trim())),i=""),e.push({type:"deep-wildcard"}),r+=2):(i.trim()&&e.push(this._parseSegment(i.trim())),i="",r++):(i+=t[r],r++);return i.trim()&&e.push(this._parseSegment(i.trim())),e}_parseSegment(t){const e={type:"tag"};let r=null,i=t;const n=t.match(/^([^\[]+)(\[[^\]]*\])(.*)$/);if(n&&(i=n[1]+n[3],n[2])){const t=n[2].slice(1,-1);t&&(r=t)}let a,s,o=i;if(i.includes("::")){const e=i.indexOf("::");if(a=i.substring(0,e).trim(),o=i.substring(e+2).trim(),!a)throw new Error(`Invalid namespace in pattern: ${t}`)}let l=null;if(o.includes(":")){const t=o.lastIndexOf(":"),e=o.substring(0,t).trim(),r=o.substring(t+1).trim();["first","last","odd","even"].includes(r)||/^nth\(\d+\)$/.test(r)?(s=e,l=r):s=o}else s=o;if(!s)throw new Error(`Invalid segment pattern: ${t}`);if(e.tag=s,a&&(e.namespace=a),r)if(r.includes("=")){const t=r.indexOf("=");e.attrName=r.substring(0,t).trim(),e.attrValue=r.substring(t+1).trim()}else e.attrName=r.trim();if(l){const t=l.match(/^nth\((\d+)\)$/);t?(e.position="nth",e.positionValue=parseInt(t[1],10)):e.position=l}return e}get length(){return this.segments.length}hasDeepWildcard(){return this._hasDeepWildcard}hasAttributeCondition(){return this._hasAttributeCondition}hasPositionSelector(){return this._hasPositionSelector}toString(){return this.pattern}}class X{constructor(){this._byDepthAndTag=new Map,this._wildcardByDepth=new Map,this._deepWildcards=[],this._patterns=new Set,this._sealed=!1}add(t){if(this._sealed)throw new TypeError("ExpressionSet is sealed. Create a new ExpressionSet to add more expressions.");if(this._patterns.has(t.pattern))return this;if(this._patterns.add(t.pattern),t.hasDeepWildcard())return this._deepWildcards.push(t),this;const e=t.length,r=t.segments[t.segments.length-1],i=r?.tag;if(i&&"*"!==i){const r=`${e}:${i}`;this._byDepthAndTag.has(r)||this._byDepthAndTag.set(r,[]),this._byDepthAndTag.get(r).push(t)}else this._wildcardByDepth.has(e)||this._wildcardByDepth.set(e,[]),this._wildcardByDepth.get(e).push(t);return this}addAll(t){for(const e of t)this.add(e);return this}has(t){return this._patterns.has(t.pattern)}get size(){return this._patterns.size}seal(){return this._sealed=!0,this}get isSealed(){return this._sealed}matchesAny(t){return null!==this.findMatch(t)}findMatch(t){const e=t.getDepth(),r=`${e}:${t.getCurrentTag()}`,i=this._byDepthAndTag.get(r);if(i)for(let e=0;e<i.length;e++)if(t.matches(i[e]))return i[e];const n=this._wildcardByDepth.get(e);if(n)for(let e=0;e<n.length;e++)if(t.matches(n[e]))return n[e];for(let e=0;e<this._deepWildcards.length;e++)if(t.matches(this._deepWildcards[e]))return this._deepWildcards[e];return null}}const B={cent:"¢",pound:"£",curren:"¤",yen:"¥",euro:"€",dollar:"$",fnof:"ƒ",inr:"₹",af:"؋",birr:"ብር",peso:"₱",rub:"₽",won:"₩",yuan:"¥",cedil:"¸"},W={amp:"&",apos:"'",gt:">",lt:"<",quot:'"'},Y={nbsp:" ",copy:"©",reg:"®",trade:"™",mdash:"—",ndash:"–",hellip:"…",laquo:"«",raquo:"»",lsquo:"‘",rsquo:"’",ldquo:"“",rdquo:"”",bull:"•",para:"¶",sect:"§",deg:"°",frac12:"½",frac14:"¼",frac34:"¾"},G=Object.freeze({ALLOW:"allow",BLOCK:"block",THROW:"throw"}),H=new Set("!?\\\\/[]$%{}^&*()<>|+");function z(t){if("#"===t[0])throw new Error(`[EntityReplacer] Invalid character '#' in entity name: "${t}"`);for(const e of t)if(H.has(e))throw new Error(`[EntityReplacer] Invalid character '${e}' in entity name: "${t}"`);return t}function Q(...t){const e=Object.create(null);for(const r of t)if(r)for(const t of Object.keys(r)){const i=r[t];if("string"==typeof i)e[t]=i;else if(i&&"object"==typeof i&&void 0!==i.val){const r=i.val;"string"==typeof r&&(e[t]=r)}}return e}const J="external",Z="base",K="all",tt=Object.freeze({allow:0,leave:1,remove:2,throw:3}),et=new Set([9,10,13]);class rt{constructor(t={}){var e;this._limit=t.limit||{},this._maxTotalExpansions=this._limit.maxTotalExpansions||0,this._maxExpandedLength=this._limit.maxExpandedLength||0,this._postCheck="function"==typeof t.postCheck?t.postCheck:t=>t,this._limitTiers=(e=this._limit.applyLimitsTo??J)&&e!==J?e===K?new Set([K]):e===Z?new Set([Z]):Array.isArray(e)?new Set(e):new Set([J]):new Set([J]),this._numericAllowed=t.numericAllowed??!0,this._baseMap=Q(W,t.namedEntities||null),this._externalMap=Object.create(null),this._inputMap=Object.create(null),this._totalExpansions=0,this._expandedLength=0,this._removeSet=new Set(t.remove&&Array.isArray(t.remove)?t.remove:[]),this._leaveSet=new Set(t.leave&&Array.isArray(t.leave)?t.leave:[]);const r=function(t){if(!t)return{xmlVersion:1,onLevel:tt.allow,nullLevel:tt.remove};const e=1.1===t.xmlVersion?1.1:1,r=tt[t.onNCR]??tt.allow,i=tt[t.nullNCR]??tt.remove;return{xmlVersion:e,onLevel:r,nullLevel:Math.max(i,tt.remove)}}(t.ncr);this._ncrXmlVersion=r.xmlVersion,this._ncrOnLevel=r.onLevel,this._ncrNullLevel=r.nullLevel,this._onExternalEntity="function"==typeof t.onExternalEntity?t.onExternalEntity:null,this._onInputEntity="function"==typeof t.onInputEntity?t.onInputEntity:null}_applyRegistrationHook(t,e,r,i){if(!t)return!0;const n=t(e,r);if(n===G.BLOCK)return!1;if(n===G.THROW)throw new Error(`[EntityDecoder] Registration of ${i} entity "&${e};" was rejected by hook`);return!0}setExternalEntities(t){if(t)for(const e of Object.keys(t))z(e);if(!this._onExternalEntity)return void(this._externalMap=Q(t));const e=Q(t),r=Object.create(null);for(const[t,i]of Object.entries(e))this._applyRegistrationHook(this._onExternalEntity,t,i,"external")&&(r[t]=i);this._externalMap=r}addExternalEntity(t,e){z(t),"string"==typeof e&&-1===e.indexOf("&")&&this._applyRegistrationHook(this._onExternalEntity,t,e,"external")&&(this._externalMap[t]=e)}addInputEntities(t){if(this._totalExpansions=0,this._expandedLength=0,!this._onInputEntity)return void(this._inputMap=Q(t));const e=Q(t),r=Object.create(null);for(const[t,i]of Object.entries(e))this._applyRegistrationHook(this._onInputEntity,t,i,"input")&&(r[t]=i);this._inputMap=r}reset(){return this._inputMap=Object.create(null),this._totalExpansions=0,this._expandedLength=0,this}setXmlVersion(t){this._ncrXmlVersion=1.1===t?1.1:1}decode(t){if("string"!=typeof t||0===t.length)return t;if(-1===t.indexOf("&"))return t;const e=t,r=[],i=t.length;let n=0,a=0;const s=this._maxTotalExpansions>0,o=this._maxExpandedLength>0,l=s||o;for(;a<i;){if(38!==t.charCodeAt(a)){a++;continue}let e=a+1;for(;e<i&&59!==t.charCodeAt(e)&&e-a<=32;)e++;if(e>=i||59!==t.charCodeAt(e)){a++;continue}const c=t.slice(a+1,e);if(0===c.length){a++;continue}let p,d;if(this._removeSet.has(c))p="",void 0===d&&(d=J);else{if(this._leaveSet.has(c)){a++;continue}if(35===c.charCodeAt(0)){const t=this._resolveNCR(c);if(void 0===t){a++;continue}p=t,d=Z}else{const t=this._resolveName(c);p=t?.value,d=t?.tier}}if(void 0!==p){if(a>n&&r.push(t.slice(n,a)),r.push(p),n=e+1,a=n,l&&this._tierCounts(d)){if(s&&(this._totalExpansions++,this._totalExpansions>this._maxTotalExpansions))throw new Error(`[EntityReplacer] Entity expansion count limit exceeded: ${this._totalExpansions} > ${this._maxTotalExpansions}`);if(o){const t=p.length-(c.length+2);if(t>0&&(this._expandedLength+=t,this._expandedLength>this._maxExpandedLength))throw new Error(`[EntityReplacer] Expanded content length limit exceeded: ${this._expandedLength} > ${this._maxExpandedLength}`)}}}else a++}n<i&&r.push(t.slice(n));const c=0===r.length?t:r.join("");return this._postCheck(c,e)}_tierCounts(t){return!!this._limitTiers.has(K)||this._limitTiers.has(t)}_resolveName(t){return t in this._inputMap?{value:this._inputMap[t],tier:J}:t in this._externalMap?{value:this._externalMap[t],tier:J}:t in this._baseMap?{value:this._baseMap[t],tier:Z}:void 0}_classifyNCR(t){return 0===t?this._ncrNullLevel:t>=55296&&t<=57343||1===this._ncrXmlVersion&&t>=1&&t<=31&&!et.has(t)?tt.remove:-1}_applyNCRAction(t,e,r){switch(t){case tt.allow:return String.fromCodePoint(r);case tt.remove:return"";case tt.leave:return;case tt.throw:throw new Error(`[EntityDecoder] Prohibited numeric character reference &${e}; (U+${r.toString(16).toUpperCase().padStart(4,"0")})`);default:return String.fromCodePoint(r)}}_resolveNCR(t){const e=t.charCodeAt(1);let r;if(r=120===e||88===e?parseInt(t.slice(2),16):parseInt(t.slice(1),10),Number.isNaN(r)||r<0||r>1114111)return;const i=this._classifyNCR(r);if(!this._numericAllowed&&i<tt.remove)return;const n=-1===i?this._ncrOnLevel:Math.max(this._ncrOnLevel,i);return this._applyNCRAction(n,t,r)}}const it=[{id:"sql-block-comment-open",description:"SQL block comment open: /* ... */ — unusual in legitimate user text",pattern:/\/\*/},{id:"sql-union-select",description:"UNION SELECT — most common SQL injection aggregation attack",pattern:/\bUNION\s{1,20}(?:ALL\s{1,20})?SELECT\b/i},{id:"sql-drop-table",description:"DROP TABLE — destructive DDL injection",pattern:/\bDROP\s{1,20}TABLE\b/i},{id:"sql-drop-database",description:"DROP DATABASE — destructive DDL injection",pattern:/\bDROP\s{1,20}DATABASE\b/i},{id:"sql-insert-into",description:"INSERT INTO — data injection",pattern:/\bINSERT\s{1,20}INTO\b/i},{id:"sql-delete-from",description:"DELETE FROM — data deletion injection",pattern:/\bDELETE\s{1,20}FROM\b/i},{id:"sql-update-set",description:"UPDATE ... SET — data modification injection",pattern:/\bUPDATE\b[\s\S]{1,60}\bSET\b/i},{id:"sql-exec-xp",description:"EXEC xp_ — MSSQL extended stored procedure execution",pattern:/\bEXEC(?:UTE)?\s{1,20}xp_/i},{id:"sql-tautology-string",description:'Classic string tautology: \' OR \'1\'=\'1 or " OR "1"="1"',pattern:/'\s{0,10}OR\s{0,10}'[^']{0,20}'\s*=\s*'[^']{0,20}/i},{id:"sql-tautology-numeric",description:"Numeric tautology: OR 1=1",pattern:/\bOR\s{1,10}1\s*=\s*1\b/i},{id:"sql-always-true-zero",description:"Numeric tautology: OR 0=0",pattern:/\bOR\s{1,10}0\s*=\s*0\b/i},{id:"sql-sleep-benchmark",description:"Time-based blind injection: SLEEP() or BENCHMARK()",pattern:/\b(?:SLEEP|BENCHMARK)\s*\(/i},{id:"sql-waitfor-delay",description:"MSSQL time-based blind injection: WAITFOR DELAY",pattern:/\bWAITFOR\s{1,20}DELAY\b/i},{id:"sql-char-function",description:"CHAR() function — used to obfuscate injected strings",pattern:/\bCHAR\s*\(\s*\d{1,3}/i},{id:"sql-information-schema",description:"INFORMATION_SCHEMA — reconnaissance query for table/column enumeration",pattern:/\bINFORMATION_SCHEMA\b/i}],nt="[\"'\\s]*:",at={HTML:[{id:"html-script-open",description:"<script opening tag",pattern:/<script[\s>/]/i},{id:"html-script-close",description:"<\/script closing tag",pattern:/<\/script[\s>]/i},{id:"html-javascript-protocol",description:"javascript: URI scheme (with optional whitespace/encoding)",pattern:/j[\t\n\r ]*a[\t\n\r ]*v[\t\n\r ]*a[\t\n\r ]*s[\t\n\r ]*c[\t\n\r ]*r[\t\n\r ]*i[\t\n\r ]*p[\t\n\r ]*t[\t\n\r ]*:/i},{id:"html-vbscript-protocol",description:"vbscript: URI scheme",pattern:/vbscript[\t\n\r ]*:/i},{id:"html-data-html",description:"data:text/html URI — can execute scripts in browsers",pattern:/data[\t\n\r ]*:[\t\n\r ]*text\/html/i},{id:"html-data-xhtml",description:"data:application/xhtml+xml URI",pattern:/data[\t\n\r ]*:[\t\n\r ]*application\/xhtml/i},{id:"html-data-svg",description:"data:image/svg+xml URI — can execute scripts",pattern:/data[\t\n\r ]*:[\t\n\r ]*image\/svg\+xml/i},{id:"html-inline-event-handler",description:"Inline event handler attributes: onclick=, onerror=, onload=, etc.",pattern:/\bon\w{1,30}\s*=/i},{id:"html-entity-obfuscated-script",description:"HTML-entity-encoded <script (e.g. &#x3C;script or &lt;script)",pattern:/(?:&#x0*3[Cc];?|&#0*60;?|&lt;)\s*script/i},{id:"html-entity-obfuscated-javascript",description:'HTML-entity-encoded javascript: (partial — catches common &#106; or &#x6a; for "j")',pattern:/(?:&#x0*6[Aa];?|&#0*106;?)\s*(?:&#x0*61;?|a)[\s\S]{0,80}script\s*:/i},{id:"html-style-expression",description:"CSS expression() — IE-era code execution in style attributes",pattern:/style[\s\S]{0,20}expression\s*\(/i},{id:"html-object-embed",description:"<object or <embed tags that can load active content",pattern:/<(?:object|embed)[\s>/]/i},{id:"html-base-tag",description:"<base href= — can hijack all relative URLs on a page",pattern:/<base[\s>]/i},{id:"html-meta-refresh",description:'<meta http-equiv="refresh" — can redirect users',pattern:/<meta[\s\S]{0,40}http-equiv[\s\S]{0,20}refresh/i},{id:"html-srcdoc",description:"srcdoc= attribute on iframes — embeds HTML that can run scripts",pattern:/srcdoc\s*=/i},{id:"html-iframe",description:"<iframe tag",pattern:/<iframe[\s>/]/i},{id:"html-form",description:"<form tag — can be used for phishing / credential harvesting injection",pattern:/<form[\s>/]/i}],XML:[{id:"xml-cdata-injection",description:"CDATA section injection: <![CDATA[ breaks out of text node context",pattern:/<!\[CDATA\[/i},{id:"xml-cdata-close",description:"CDATA close sequence: ]]> can terminate an enclosing CDATA section",pattern:/\]\]>/},{id:"xml-processing-instruction",description:"XML processing instruction: <?xml-stylesheet or <?php etc.",pattern:/<\?(?:xml[\- ]|php|asp)/i},{id:"xml-doctype-injection",description:"DOCTYPE declaration embedded in content — can define entities",pattern:/<!DOCTYPE(?:[\s[]|$)/i},{id:"xml-entity-system",description:"SYSTEM keyword — used in external entity declarations (XXE)",pattern:/\bSYSTEM\s+["']/i},{id:"xml-entity-public",description:"PUBLIC keyword — used in external entity declarations (XXE)",pattern:/\bPUBLIC\s+["']/i},{id:"xml-entity-declaration",description:"<!ENTITY declaration — defines entities, potential XXE or entity expansion",pattern:/<!ENTITY[\s%]/i},{id:"xml-billion-laughs",description:"Entity reference chaining / billion laughs: repeated &eX; style references",pattern:/(?:&\w{1,20};){3,}/},{id:"xml-namespace-confusion",description:"xmlns: attribute injection — can redefine namespaces to confuse parsers",pattern:/\bxmlns\s*(?::\w{1,40})?\s*=/i},{id:"xml-comment-injection",description:"\x3c!-- comment injection — can hide content from some parsers",pattern:/<!--/},{id:"xml-comment-close",description:"--\x3e closes an enclosing XML comment",pattern:/-->/},{id:"xml-pi-close",description:"?> closes an enclosing processing instruction",pattern:/\?>/}],SVG:[{id:"svg-script-element",description:"<script element inside SVG executes JavaScript",pattern:/<script[\s>/]/i},{id:"svg-xlink-href-javascript",description:"xlink:href with javascript: — classic SVG XSS via <a> or <use>",pattern:/xlink\s*:\s*href\s*=\s*["']?\s*javascript\s*:/i},{id:"svg-href-javascript",description:"href= with javascript: in SVG context (<a>, <animate>, etc.)",pattern:/href\s*=\s*["']?\s*javascript\s*:/i},{id:"svg-foreignobject",description:"<foreignObject embeds HTML inside SVG — can execute scripts",pattern:/<foreignObject[\s>/]/i},{id:"svg-use-external",description:"<use xlink:href or href pointing to external resource (non-fragment URL)",pattern:/<use[\s\S]{0,60}(?:xlink\s*:\s*)?href\s*=\s*(?:["'][^#]|[^"'#\s>])/i},{id:"svg-animate-href",description:'<animate attributeName="href" — can dynamically change href to javascript:',pattern:/<animate[\s\S]{0,80}attributeName\s*=\s*["'][\s]*href["']/i},{id:"svg-animate-xlinkhref",description:'<animate attributeName="xlink:href"',pattern:/<animate[\s\S]{0,80}attributeName\s*=\s*["'][\s]*xlink\s*:\s*href["']/i},{id:"svg-set-javascript",description:'<set to="javascript:..." — sets an attribute to a javascript: URI',pattern:/<set[\s\S]{0,80}to\s*=\s*["']?\s*javascript\s*:/i},{id:"svg-event-handler",description:"SVG-specific event handler attributes: onload=, onerror=, onactivate=, etc.",pattern:/\bon(?:load|error|activate|begin|end|repeat|focus|blur|click|mouse\w{1,20}|key\w{1,20})\s*=/i},{id:"svg-handler-generic",description:"Generic on* handler catch-all for SVG attributes",pattern:/\bon\w{1,30}\s*=/i},{id:"svg-filter-feimage",description:"<feImage href= — filter primitive that can load external resources",pattern:/<feImage[\s\S]{0,80}(?:xlink\s*:\s*)?href\s*=/i},{id:"svg-image-external",description:"<image xlink:href with http/https or javascript protocol",pattern:/<image[\s\S]{0,80}(?:xlink\s*:\s*)?href\s*=\s*["']?\s*(?:https?|javascript)\s*:/i},{id:"svg-style-javascript",description:"style= attribute containing javascript: (e.g. background:url(javascript:...))",pattern:/style\s*=[\s\S]{0,60}javascript\s*:/i}],SQL:it,"SQL-STRICT":[...it,{id:"sql-line-comment",description:"SQL line comment: -- followed by whitespace or end of string",pattern:/--(?:\s|$)/},{id:"sql-stacked-query",description:"Stacked queries: semicolon immediately followed by a SQL keyword",pattern:/;\s{0,10}(?:SELECT|INSERT|UPDATE|DELETE|DROP|CREATE|ALTER|EXEC)\b/i},{id:"sql-hex-encoding",description:"Hex-encoded string injection: 0x41414141 style (MySQL)",pattern:/\b0x[0-9a-f]{4,}/i}],SHELL:[{id:"shell-path-traversal-unix",description:"Unix path traversal: ../ — climbing the directory tree",pattern:/\.\.\//},{id:"shell-path-traversal-windows",description:"Windows path traversal: ..\\ — climbing the directory tree",pattern:/\.\.\\/},{id:"shell-path-traversal-encoded",description:"URL-encoded path traversal: %2e%2e or %2f variants",pattern:/%2e%2e|%2f\.\.|\.\.%2f/i},{id:"shell-null-byte",description:"Null byte injection: \\x00 or %00 — truncates strings in C-backed functions",pattern:/\x00|%00/},{id:"shell-semicolon",description:"Semicolon command separator: cmd1; cmd2",pattern:/;/},{id:"shell-pipe",description:"Pipe operator: cmd1 | cmd2",pattern:/\|/},{id:"shell-and-operator",description:"AND operator: cmd1 && cmd2",pattern:/&&/},{id:"shell-or-operator",description:"OR operator: cmd1 || cmd2",pattern:/\|\|/},{id:"shell-backtick",description:"Backtick command substitution: `cmd`",pattern:/`/},{id:"shell-dollar-paren",description:"Dollar-paren command substitution: $(cmd)",pattern:/\$\(/},{id:"shell-dollar-brace",description:"Dollar-brace variable expansion: ${var} — can be abused for injection",pattern:/\$\{/},{id:"shell-redirect-out",description:"Output redirection: cmd > file or cmd >> file",pattern:/>{1,2}/},{id:"shell-redirect-in",description:"Input redirection: cmd < file",pattern:/</},{id:"shell-newline-injection",description:"Newline injection: \\n or \\r — can inject new shell commands",pattern:/[\n\r]/},{id:"shell-glob-star",description:"Glob expansion: * or ? — can expand to unintended files",pattern:/[/\\][*?]/},{id:"shell-absolute-root",description:"Absolute root path injection: string starting with / or \\ (Windows UNC)",pattern:/^(?:\/|\\\\)/},{id:"shell-windows-drive",description:"Windows drive letter path injection: C:\\ or D:/",pattern:/^[a-zA-Z]:[/\\]/},{id:"shell-curl-wget",description:"curl/wget with URL or flags — can exfiltrate data or download payloads",pattern:/\b(?:curl|wget)\s+(?:https?:\/\/|ftp:\/\/|-)/i}],REDOS:[{id:"redos-nested-quantifier-plus",description:"Nested + quantifier inside a group with outer quantifier: (a+)+, (.+b)*, etc.",pattern:/\([^)]*\+[^)]*\)[+*]/},{id:"redos-nested-quantifier-star",description:"Nested * quantifier: (a*)* or (a*)+ — catastrophic backtracking",pattern:/\([^)]*\*[^)]*\)[*+]/},{id:"redos-nested-groups",description:"Doubly nested quantified groups: ((a+)+) — guaranteed catastrophic",pattern:/\(\([^)]{0,40}\)[+*]\)[+*]/},{id:"redos-alternation-overlap",description:"Overlapping alternation under quantifier: (a|a)+ — ambiguous NFA paths",pattern:/\(([^|()]{1,20})\|(?:\1)(?:\|[^|()]{1,20}){0,5}\)[+*?]{1,2}/},{id:"redos-star-plus-concat",description:"(x*x)+ pattern — triggers super-linear backtracking",pattern:/\([^)]{0,10}\*[^)]{0,10}\)[+*]/},{id:"redos-dot-star-greedy",description:"(.*){n,} or (.+){n,} — repeated greedy dot quantifiers",pattern:/\(\.[*+]\)\{?\d/},{id:"redos-large-repetition",description:"Very large fixed or range repetition count {1000,} or {1000,n} — denial of service via backtracking",pattern:/\{\d{4,}(?:,\d*)?\}/},{id:"redos-catastrophic-alternation",description:"Long alternation with many similar branches — polynomial backtracking risk",pattern:/\([^)]{0,200}(?:\|[^|)]{0,50}){9,}\)/}],NOSQL:[{id:"nosql-where-operator",description:"$where — executes arbitrary JavaScript server-side in MongoDB",pattern:new RegExp(`\\$where${nt}`,"i")},{id:"nosql-ne-operator",description:'$ne — "not equal" operator used to bypass equality checks',pattern:new RegExp(`\\$ne${nt}`,"i")},{id:"nosql-gt-operator",description:'$gt — "greater than" used to bypass password/value checks',pattern:new RegExp(`\\$gte?${nt}`,"i")},{id:"nosql-lt-operator",description:'$lt / $lte — "less than" bypass variants',pattern:new RegExp(`\\$lte?${nt}`,"i")},{id:"nosql-regex-operator",description:"$regex — can be used to extract data character by character (blind injection)",pattern:new RegExp(`\\$regex${nt}`,"i")},{id:"nosql-or-operator",description:"$or — logical OR; used to create always-true conditions",pattern:new RegExp(`\\$or${nt}\\s*\\[`,"i")},{id:"nosql-and-operator",description:"$and — logical AND operator injection",pattern:new RegExp(`\\$and${nt}\\s*\\[`,"i")},{id:"nosql-nor-operator",description:"$nor — logical NOR operator injection",pattern:new RegExp(`\\$nor${nt}\\s*\\[`,"i")},{id:"nosql-exists-operator",description:"$exists — can enumerate fields to determine schema",pattern:new RegExp(`\\$exists${nt}`,"i")},{id:"nosql-in-operator",description:"$in — matches any value in a list; can enumerate values",pattern:new RegExp(`\\$in${nt}\\s*\\[`,"i")},{id:"nosql-expr-operator",description:"$expr — allows aggregation expressions in queries (MongoDB 3.6+)",pattern:new RegExp(`\\$expr${nt}`,"i")},{id:"nosql-function-operator",description:"$function — executes arbitrary JavaScript in MongoDB 4.4+",pattern:new RegExp(`\\$function${nt}`,"i")},{id:"nosql-accumulator-operator",description:"$accumulator — custom aggregation with arbitrary JS execution",pattern:new RegExp(`\\$accumulator${nt}`,"i")},{id:"nosql-proto-pollution",description:"__proto__ — prototype pollution via object key injection",pattern:/__proto__/},{id:"nosql-constructor-prototype",description:"constructor.prototype — alternative prototype pollution vector (dot notation or JSON key)",pattern:/constructor[\s"':.,{\[]*prototype/i},{id:"nosql-proto-bracket",description:'["__proto__"] — bracket-notation prototype pollution',pattern:/\[["']__proto__["']\]/}],LOG:[{id:"log-crlf-injection",description:"CRLF injection: literal \\r or \\n embeds fake log lines",pattern:/[\r\n]/},{id:"log-url-encoded-crlf",description:"URL-encoded CRLF: %0d, %0a, %0D, %0A — decoded by some log parsers",pattern:/%0[dDaA]/},{id:"log-unicode-newline",description:"Unicode newline variants: U+2028 (line separator), U+2029 (paragraph separator)",pattern:/[\u2028\u2029]/},{id:"log-log4shell-jndi",description:"Log4Shell: ${jndi:...} triggers remote code execution in Apache Log4j",pattern:/\$\{jndi\s*:/i},{id:"log-log4shell-obfuscated",description:"Obfuscated Log4Shell: ${::-j}... lookup-bypass prefix used to evade WAF detection",pattern:/\$\{::-/},{id:"log-log4j-lookup",description:"Log4j lookup syntax: ${env:...}, ${sys:...}, ${ctx:...} — data exfiltration",pattern:/\$\{(?:env|sys|ctx|main|map|sd|web|docker|k8s|spring)\s*:/i},{id:"log-ssti-double-brace",description:"SSTI double-brace: {{expression}} — Jinja2, Twig, Handlebars, etc.",pattern:/\{\{[\s\S]{0,80}\}\}/},{id:"log-ssti-hash-brace",description:"SSTI hash-brace: #{expression} — Thymeleaf, Velocity, Ruby ERB",pattern:/#\{[\s\S]{0,80}\}/},{id:"log-ssti-dollar-brace",description:"SSTI/EL injection: ${expression with operators or method calls} — JSP EL, Freemarker, SpEL",pattern:/\$\{[^}]*(?:\.|\(|\*|\+|\bclass\b|\bruntime\b|\bprocess\b|\bexec\b)[^}]{0,80}\}/i},{id:"log-ssti-percent-tag",description:"SSTI ERB/ASP tag: <%= expression %> — Ruby ERB, ASP",pattern:/<%=[\s\S]{0,80}%>/},{id:"log-null-byte",description:"Null byte: \\x00 or %00 — can truncate log entries in C-backed loggers",pattern:/\x00|%00/},{id:"log-ansi-escape",description:"ANSI escape sequence: ESC[ — can manipulate terminal output when logs are tailed",pattern:/\x1b\[/}]},st=at,ot=Object.freeze(Object.fromEntries(Object.keys(at).map(t=>[t,t])));function lt(t,e){const r=st[e];for(const i of r)if(i.pattern.test(t))return{context:e,id:i.id,description:i.description,pattern:i.pattern};return null}function ct(t,e){if(function(t){if("string"!=typeof t)throw new TypeError("is-unsafe: first argument must be a string, got "+typeof t)}(t),function(t){if(!(t instanceof RegExp))if("string"!=typeof t){if(!Array.isArray(t))throw new TypeError("is-unsafe: second argument must be a context string, array of context strings, or RegExp. Got: "+typeof t);if(0===t.length)throw new TypeError("is-unsafe: context array must not be empty");for(const e of t)if("string"!=typeof e||!st[e])throw new TypeError(`is-unsafe: unknown context "${e}" in array. Valid contexts: ${Object.keys(ot).join(", ")}`)}else if(!st[t])throw new TypeError(`is-unsafe: unknown context "${t}". Valid contexts: ${Object.keys(ot).join(", ")}`)}(e),e instanceof RegExp)return e.test(t);if("string"==typeof e)return null!==lt(t,e);for(const r of e)if(null!==lt(t,r))return!0;return!1}function pt(){return pt=Object.assign?Object.assign.bind():function(t){for(var e=1;e<arguments.length;e++){var r=arguments[e];for(var i in r)({}).hasOwnProperty.call(r,i)&&(t[i]=r[i])}return t},pt.apply(null,arguments)}function dt(t,e){if(!t)return{};var r=e.attributesGroupName?t[e.attributesGroupName]:t;if(!r)return{};var i={};for(var n in r)n.startsWith(e.attributeNamePrefix)?i[n.substring(e.attributeNamePrefix.length)]=r[n]:i[n]=r[n];return i}function ht(t){if(t&&"string"==typeof t){var e=t.indexOf(":");if(-1!==e&&e>0){var r=t.substring(0,e);if("xmlns"!==r)return r}}}var ut=function(t,e){var r;this.options=t,this.currentNode=null,this.tagsNodeStack=[],this.parseXml=xt,this.parseTextData=ft,this.resolveNameSpace=gt,this.buildAttributesMap=vt,this.isItStopNode=wt,this.replaceEntitiesValue=yt,this.readStopNodeData=Tt,this.saveTextToParentTag=Et,this.addChild=bt,this.ignoreAttributesFn="function"==typeof(r=this.options.ignoreAttributes)?r:Array.isArray(r)?function(t){for(var e,i=function(t,e){var r="undefined"!=typeof Symbol&&t[Symbol.iterator]||t["@@iterator"];if(r)return(r=r.call(t)).next.bind(r);if(Array.isArray(t)||(r=function(t,e){if(t){if("string"==typeof t)return V(t,e);var r={}.toString.call(t).slice(8,-1);return"Object"===r&&t.constructor&&(r=t.constructor.name),"Map"===r||"Set"===r?Array.from(t):"Arguments"===r||/^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(r)?V(t,e):void 0}}(t))||e&&t&&"number"==typeof t.length){r&&(t=r);var i=0;return function(){return i>=t.length?{done:!0}:{done:!1,value:t[i++]}}}throw new TypeError("Invalid attempt to iterate non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.")}(r);!(e=i()).done;){var n=e.value;if("string"==typeof n&&t===n)return!0;if(n instanceof RegExp&&n.test(t))return!0}}:function(){return!1},this.entityExpansionCount=0,this.currentExpandedLength=0;var i=pt({},W);this.options.entityDecoder?this.entityDecoder=this.options.entityDecoder:("object"==typeof this.options.htmlEntities?i=this.options.htmlEntities:!0===this.options.htmlEntities&&(i=pt({},Y,B)),this.entityDecoder=new rt({namedEntities:pt({},i,e),numericAllowed:this.options.htmlEntities,limit:{maxTotalExpansions:this.options.processEntities.maxTotalExpansions,maxExpandedLength:this.options.processEntities.maxExpandedLength,applyLimitsTo:this.options.processEntities.appliesTo},onInputEntity:function(t,e){return ct(e,[ot.HTML,ot.XML])?G.BLOCK:G.ALLOW}})),this.matcher=new U,this.readonlyMatcher=this.matcher.readOnly(),this.isCurrentNodeStopNode=!1,this.stopNodeExpressionsSet=new X;var n=this.options.stopNodes;if(n&&n.length>0){for(var a=0;a<n.length;a++){var s=n[a];"string"==typeof s?this.stopNodeExpressionsSet.add(new F(s)):s instanceof F&&this.stopNodeExpressionsSet.add(s)}this.stopNodeExpressionsSet.seal()}};function ft(t,e,r,i,n,a,s){var o=this.options;if(void 0!==t&&(o.trimValues&&!i&&(t=t.trim()),t.length>0)){s||(t=this.replaceEntitiesValue(t,e,r));var l=o.jPath?r.toString():r,c=o.tagValueProcessor(e,t,l,n,a);return null==c?t:typeof c!=typeof t||c!==t?c:o.trimValues||t.trim()===t?At(t,o.parseTagValue,o.numberParseOptions):t}}function gt(t){if(this.options.removeNSPrefix){var e=t.split(":"),r="/"===t.charAt(0)?"/":"";if("xmlns"===e[0])return"";2===e.length&&(t=r+e[1])}return t}var mt=new RegExp("([^\\s=]+)\\s*(=\\s*(['\"])([\\s\\S]*?)\\3)?","gm");function vt(t,e,r,i){void 0===i&&(i=!1);var a=this.options;if(!0===i||!0!==a.ignoreAttributes&&"string"==typeof t){for(var s=n(t,mt),o=s.length,l={},c=new Array(o),p=!1,d={},h=0;h<o;h++){var u=this.resolveNameSpace(s[h][1]),f=s[h][4];if(u.length&&void 0!==f){var g=f;a.trimValues&&(g=g.trim()),g=this.replaceEntitiesValue(g,r,this.readonlyMatcher),c[h]=g,d[u]=g,p=!0}}p&&"object"==typeof e&&e.updateCurrent&&e.updateCurrent(d);for(var m=a.jPath?e.toString():this.readonlyMatcher,v=!1,x=0;x<o;x++){var b=this.resolveNameSpace(s[x][1]);if(!this.ignoreAttributesFn(b,m)){var y=a.attributeNamePrefix+b;if(b.length)if(a.transformAttributeName&&(y=a.transformAttributeName(y)),y=It(y,a),void 0!==s[x][4]){var E=c[x],w=a.attributeValueProcessor(b,E,m);l[y]=null==w?E:typeof w!=typeof E||w!==E?w:At(E,a.parseAttributeValue,a.numberParseOptions),v=!0}else a.allowBooleanAttributes&&(l[y]=!0,v=!0)}}if(!v)return;if(a.attributesGroupName&&!a.preserveOrder){var S={};return S[a.attributesGroupName]=l,S}return l}}var xt=function(t){t=t.replace(/\r\n?/g,"\n");var e=new f("!xml"),r=e,i="";this.matcher.reset(),this.entityDecoder.reset(),this.entityExpansionCount=0,this.currentExpandedLength=0;for(var n=this.options,a=new w(n.processEntities),s=t.length,o=0;o<s;o++)if("<"===t[o]){var l=t.charCodeAt(o+1);if(47===l){var c=St(t,">",o,"Closing Tag is not closed."),p=t.substring(o+2,c).trim();if(n.removeNSPrefix){var d=p.indexOf(":");-1!==d&&(p=p.substr(d+1))}p=Ct(n.transformTagName,p,"",n).tagName,r&&(i=this.saveTextToParentTag(i,r,this.readonlyMatcher));var h=this.matcher.getCurrentTag();if(p&&n.unpairedTagsSet.has(p))throw new Error("Unpaired tag can not be used as closing tag: </"+p+">");h&&n.unpairedTagsSet.has(h)&&(this.matcher.pop(),this.tagsNodeStack.pop()),this.matcher.pop(),this.isCurrentNodeStopNode=!1,r=this.tagsNodeStack.pop(),i="",o=c}else if(63===l){var u=_t(t,o,!1,"?>");if(!u)throw new Error("Pi Tag is not closed.");i=this.saveTextToParentTag(i,r,this.readonlyMatcher);var g=this.buildAttributesMap(u.tagExp,this.matcher,u.tagName,!0);if(g){var m=g[this.options.attributeNamePrefix+"version"];this.entityDecoder.setXmlVersion(Number(m)||1),a.setXmlVersion(Number(m)||1)}if(n.ignoreDeclaration&&"?xml"===u.tagName||n.ignorePiTags);else{var v=new f(u.tagName);v.add(n.textNodeName,""),u.tagName!==u.tagExp&&u.attrExpPresent&&!0!==n.ignoreAttributes&&(v[":@"]=g),this.addChild(r,v,this.readonlyMatcher,o)}o=u.closeIndex+1}else if(33===l&&45===t.charCodeAt(o+2)&&45===t.charCodeAt(o+3)){var x=St(t,"--\x3e",o+4,"Comment is not closed.");if(n.commentPropName){var b,y=t.substring(o+4,x-2);i=this.saveTextToParentTag(i,r,this.readonlyMatcher),r.add(n.commentPropName,[(b={},b[n.textNodeName]=y,b)])}o=x}else if(33===l&&68===t.charCodeAt(o+2)){var E=a.readDocType(t,o);this.entityDecoder.addInputEntities(E.entities),o=E.i}else if(33===l&&91===t.charCodeAt(o+2)){var S=St(t,"]]>",o,"CDATA is not closed.")-2,N=t.substring(o+9,S);i=this.saveTextToParentTag(i,r,this.readonlyMatcher);var _,T=this.parseTextData(N,r.tagname,this.readonlyMatcher,!0,!1,!0,!0);null==T&&(T=""),n.cdataPropName?r.add(n.cdataPropName,[(_={},_[n.textNodeName]=N,_)]):r.add(n.textNodeName,T),o=S+2}else{var A=_t(t,o,n.removeNSPrefix);if(!A){var C=t.substr