UNPKG

polen

Version:

A framework for delightful GraphQL developer portals

github.com/the-guild-org/polen

the-guild-org/polen

81 lines (73 loc) 2.65 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
/** * Creates an HTML script tag that injects data into a global variable * * @param globalName - The name of the global variable (e.g., '__POLEN__') * @param data - The data to inject (will be JSON stringified) * @returns HTML script tag string ready to inject into HTML * * @example * ```ts * const script = createGlobalDataScript('__MY_APP__', { user: { id: 1, name: 'John' } }) * // Returns: <script>globalThis.__MY_APP__ = {"user":{"id":1,"name":"John"}};</script> * ``` */ export const createGlobalDataScript = (globalName: string, data: unknown): string => { // Validate global name to prevent injection attacks if (!/^[a-zA-Z_$][a-zA-Z0-9_$]*$/.test(globalName)) { throw new Error(`Invalid global variable name: ${globalName}`) } // JSON.stringify and then escape </script> tags to prevent XSS const jsonData = JSON.stringify(data) // Escape </script> to prevent breaking out of script tag .replace(/<\/script>/gi, '<\\/script>') return `<script>globalThis.${globalName} = ${jsonData};</script>` } /** * Creates a script tag that initializes global data and runs initialization code * * @param globalName - The name of the global variable * @param data - The data to inject * @param initCode - Optional initialization code to run after setting the global * @returns HTML script tag string * * @example * ```ts * const script = createGlobalDataScriptWithInit('__THEME__', { theme: 'dark' }, ` * document.documentElement.className = globalThis.__THEME__.theme; * `) * ``` */ export const createGlobalDataScriptWithInit = ( globalName: string, data: unknown, initCode?: string, ): string => { const dataScript = createGlobalDataScript(globalName, data) if (!initCode) { return dataScript } // Remove the closing </script> tag from data script and append init code const scriptContent = dataScript.replace('</script>', `\n${initCode}\n</script>`) return scriptContent } /** * Injects a global data script into the head of an HTML document * * @param html - The HTML document string * @param globalName - The name of the global variable * @param data - The data to inject * @param initCode - Optional initialization code * @returns Modified HTML with script injected */ export const injectGlobalDataIntoHTML = ( html: string, globalName: string, data: unknown, initCode?: string, ): string => { const script = initCode ? createGlobalDataScriptWithInit(globalName, data, initCode) : createGlobalDataScript(globalName, data) // Inject at the beginning of head to ensure it runs first return html.replace('<head>', `<head>\n${script}`) }