/** * Validate a URL against an allowlist of safe protocols. * * Rejects `javascript:`, `vbscript:`, `file:`, non-image `data:`, * and any other non-allowlisted scheme. Accepts absolute URLs and — * when `base` is provided — relative URLs resolved against `base`. * * Returns the normalized href on success, or `null` if the URL is * unparseable or uses a forbidden protocol. */ export declare function safeUrl(input: string, base?: string): string | null; /** * Escape characters that would change HTML semantics when rendered * via `innerHTML`. Prefer `element.textContent = s` where possible; * this helper exists for the handful of paths that must build a * string (e.g. server-rendered markup, shadow DOM templates). */ export declare function escapeHtml(input: string): string; /** * Assert that a string does not carry a dangerous protocol even * when used as a user-visible link target. Returns `true` when safe. */ export declare function isSafeUrl(input: string, base?: string): boolean; /** * Minimal shape of a Trusted Types policy object — just enough for * the HTML caption sink. We intentionally do not depend on * `@types/trusted-types`; the real browser objects are structurally * compatible with this interface. */ export interface PencereTrustedTypePolicy { createHTML(input: string): string | TrustedHTML; } /** * Create (and memoize) the `pencere` Trusted Types policy. * * Callers who opt into HTML captions are expected to supply a * sanitizer — typically `DOMPurify.sanitize` — that returns a string. * Under `require-trusted-types-for 'script'`, every `innerHTML`-like * sink in pencere (currently only HTML captions) is routed through * this policy so the sanitized output carries a `TrustedHTML` stamp. * * When Trusted Types is not exposed on the current window (Firefox, * older Safari), returns a no-op shim that passes the string through * unchanged — the caller's sanitizer is still the source of truth. * * Repeated calls with compatible options reuse the same policy object * to avoid the "Policy pencere already exists" CSP violation. * * @example * ```ts * import DOMPurify from "dompurify" * import { createTrustedTypesPolicy } from "pencere" * * const policy = createTrustedTypesPolicy({ * sanitize: (html) => DOMPurify.sanitize(html), * }) * element.innerHTML = policy.createHTML(userHtml) as string * ``` */ export declare function createTrustedTypesPolicy(options?: { /** User-supplied HTML sanitizer. Defaults to identity (unsafe!). */ sanitize?: (html: string) => string; /** Policy name. Defaults to `"pencere"` to match the CSP cookbook. */ name?: string; }): PencereTrustedTypePolicy; /** Visible for tests — reset the memoized policy between cases. */ export declare function _resetTrustedTypesPolicy(): void;