From a65219759d879224859e213b23efbb35b81a67df Mon Sep 17 00:00:00 2001
From: natxocc <natxocc@gmail.com>
Date: Mon, 27 Apr 2026 10:32:11 +0200
Subject: [PATCH] Improved XXS

---
 dist/sigpro.esm.js     |  8 +++++---
 dist/sigpro.esm.min.js |  2 +-
 dist/sigpro.js         |  8 +++++---
 dist/sigpro.min.js     |  2 +-
 docs/sigpro.js         |  8 +++++---
 package.json           |  6 +++---
 sigpro.js              | 14 +++++++++-----
 7 files changed, 29 insertions(+), 19 deletions(-)

diff --git a/dist/sigpro.esm.js b/dist/sigpro.esm.js
index 4e7f0c2..0acd119 100644
--- a/dist/sigpro.esm.js
+++ b/dist/sigpro.esm.js
@@ -244,7 +244,8 @@ var cleanupNode = (node) => {
     node.childNodes.forEach((n) => cleanupNode(n));
 };
 var DANGEROUS_PROTOCOL = /^\s*(javascript|data|vbscript):/i;
-var isDangerousAttr = (key) => key === "src" || key === "href" || key.startsWith("on");
+var DANGEROUS_URI_ATTRS = new Set(["src", "href", "formaction", "action", "background", "code", "archive"]);
+var isDangerousAttr = (key) => DANGEROUS_URI_ATTRS.has(key) || key.startsWith("on");
 var validateAttr = (key, val) => {
   if (val == null || val === false)
     return null;
@@ -298,8 +299,9 @@ var h = (tag, props = {}, children = []) => {
       continue;
     }
     if (isSVG && k.startsWith("xlink:")) {
-      const ns = "http://www.w3.org/1999/xlink";
-      v == null ? el.removeAttributeNS(ns, k.slice(6)) : el.setAttributeNS(ns, k.slice(6), v);
+      const cleanVal = validateAttr(k.slice(6), v);
+      let lnk = "http://www.w3.org/1999/xlink";
+      cleanVal == null ? el.removeAttributeNS(lnk, k.slice(6)) : el.setAttributeNS(lnk, k.slice(6), cleanVal);
       continue;
     }
     if (k.startsWith("on")) {
diff --git a/dist/sigpro.esm.min.js b/dist/sigpro.esm.min.js
index 4ae0d2f..39bd637 100644
--- a/dist/sigpro.esm.min.js
+++ b/dist/sigpro.esm.min.js
@@ -1 +1 @@
-var y=(e)=>typeof e==="function",P=(e)=>e&&typeof e==="object",b=Array.isArray,g=typeof document<"u"?document:null,L=(e)=>e?._isRuntime?e.container:e instanceof Node?e:g.createTextNode(e==null?"":String(e)),p=null,_=null,x=!1,A=0,C=new Set,k=new WeakMap,$=Symbol("iter"),B=new WeakMap,E=(e)=>{if(!e||e._disposed)return;e._disposed=!0;let o=[e];while(o.length){let n=o.pop();if(n._cleanups)n._cleanups.forEach((i)=>i()),n._cleanups.clear();if(n._children)n._children.forEach((i)=>o.push(i)),n._children.clear();if(n._deps)n._deps.forEach((i)=>i.delete(n)),n._deps.clear()}},N=(e)=>{if(_)(_._cleanups||=new Set).add(e)},F=(e)=>{let o=p;p=null;try{return e()}finally{p=o}},T=(e,o=!1)=>{let n=()=>{if(n._disposed)return;if(n._deps)n._deps.forEach((c)=>c.delete(n));if(n._cleanups)n._cleanups.forEach((c)=>c()),n._cleanups.clear();let i=p,s=_;p=_=n;try{return n._result=e()}catch(c){console.error("[SigPro]",c)}finally{p=i,_=s}};if(n._deps=n._cleanups=n._children=null,n._disposed=!1,n._isComputed=o,n._depth=p?p._depth+1:0,n._mounts=[],n._parent=_,_)(_._children||=new Set).add(n);return n},q=()=>{if(x)return;x=!0;let e=Array.from(C).sort((o,n)=>o._depth-n._depth);C.clear();for(let o of e)if(!o._disposed)o();x=!1},V=(e)=>{A++;try{return e()}finally{if(A--,A===0&&C.size>0&&!x)q()}},w=(e,o=!1)=>{if(!o&&p&&!p._disposed)e.add(p),(p._deps||=new Set).add(e);else if(o&&e.size>0){let n=!1;for(let i of e){if(i===p||i._disposed)continue;if(i._isComputed){if(i._dirty=!0,i._subs)w(i._subs,!0)}else C.add(i),n=!0}if(n&&!x&&A===0)queueMicrotask(q)}},S=(e,o=null)=>{let n=new Set;if(y(e)){let i,s=()=>{if(s._dirty){let c=p;p=s;try{let t=e();if(!Object.is(i,t))i=t,w(n,!0)}finally{p=c}s._dirty=!1}return w(n),i};if(s._isComputed=!0,s._subs=n,s._dirty=!0,s._deps=null,s._disposed=!1,s.stop=()=>{},_)N(s.stop);return s}if(o)try{e=JSON.parse(localStorage.getItem(o))??e}catch(i){}return(...i)=>{if(i.length){let s=y(i[0])?i[0](e):i[0];if(!Object.is(e,s)){if(e=s,o)localStorage.setItem(o,JSON.stringify(e));w(n,!0)}}return w(n),e}},I=(e)=>{if(!P(e))return e;let o=k.get(e);if(o)return o;let n=new Map,i=(c)=>{let t=n.get(c);if(!t)n.set(c,t=new Set);return t},s=new Proxy(e,{get(c,t,r){if(typeof t!=="symbol")w(i(t));return I(Reflect.get(c,t,r))},set(c,t,r,l){let u=Reflect.has(c,t),a=Reflect.get(c,t,l),f=Reflect.set(c,t,r,l);if(f&&!Object.is(a,r)){if(w(i(t),!0),!u)w(i($),!0)}return f},deleteProperty(c,t){let r=Reflect.deleteProperty(c,t);if(r)w(i(t),!0),w(i($),!0);return r},ownKeys(c){return w(i($)),Reflect.ownKeys(c)}});return k.set(e,s),s},R=(e,o)=>{if(o===void 0){let i=T(e);return i(),()=>E(i)}let n=T(()=>{let i=Array.isArray(e)?e.map((s)=>s()):e();F(()=>o(i))});return n(),()=>E(n)},D=(e)=>{if(!e)return;if(e._cleanups)e._cleanups.forEach((o)=>o()),e._cleanups.clear();if(e._ownerEffect)E(e._ownerEffect);if(e.childNodes)e.childNodes.forEach((o)=>D(o))},W=/^\s*(javascript|data|vbscript):/i,J=(e)=>e==="src"||e==="href"||e.startsWith("on"),M=(e,o)=>{if(o==null||o===!1)return null;if(J(e)){let n=String(o);if(W.test(n))return console.warn(`[SigPro] Bloqueado protocolo peligroso en ${e}`),"#"}return o},O=(e,o={},n=[])=>{if(o instanceof Node||b(o)||!P(o))n=o,o={};if(y(e)){let t=T(()=>{let a=e(o,{children:n,emit:(f,...h)=>o[`on${f[0].toUpperCase()}${f.slice(1)}`]?.(...h)});return t._result=a,a});t();let r=t._result;if(r==null)return null;let l=r instanceof Node||b(r)&&r.every((a)=>a instanceof Node)?r:g.createTextNode(String(r)),u=(a)=>{if(P(a)&&!a._isRuntime)a._mounts=t._mounts||[],a._cleanups=t._cleanups||new Set,a._ownerEffect=t};return b(l)?l.forEach(u):u(l),l}let i=/^(svg|path|circle|rect|line|poly(line|gon)|g|defs|text(path)?|tspan|use|symbol|image|marker|ellipse)$/i.test(e),s=i?g.createElementNS("http://www.w3.org/2000/svg",e):g.createElement(e);s._cleanups=new Set;for(let t in o){if(!o.hasOwnProperty(t))continue;let r=o[t];if(t==="ref"){y(r)?r(s):r.current=s;continue}if(i&&t.startsWith("xlink:")){r==null?s.removeAttributeNS("http://www.w3.org/1999/xlink",t.slice(6)):s.setAttributeNS("http://www.w3.org/1999/xlink",t.slice(6),r);continue}if(t.startsWith("on")){let l=t.slice(2).toLowerCase();s.addEventListener(l,r);let u=()=>s.removeEventListener(l,r);s._cleanups.add(u),N(u)}else if(y(r)){let l=T(()=>{let u=M(t,r());if(t==="class")s.className=u||"";else if(u==null)s.removeAttribute(t);else if(t in s&&!i)s[t]=u;else s.setAttribute(t,u===!0?"":u)});if(l(),s._cleanups.add(()=>E(l)),N(()=>E(l)),/^(INPUT|TEXTAREA|SELECT)$/.test(s.tagName)&&(t==="value"||t==="checked")){let u=t==="checked"?"change":"input";s.addEventListener(u,(a)=>r(a.target[t]))}}else{let l=M(t,r);if(l!=null)if(t in s&&!i)s[t]=l;else s.setAttribute(t,l===!0?"":l)}}let c=(t)=>{if(b(t))return t.forEach(c);if(y(t)){let r=g.createTextNode("");s.appendChild(r);let l=[],u=T(()=>{let a=t(),f=(b(a)?a:[a]).map(L);l.forEach((d)=>{if(d._isRuntime)d.destroy();else D(d);if(d.parentNode)d.remove()});let h=r;for(let d=f.length-1;d>=0;d--){let m=f[d];if(m.parentNode!==h.parentNode)h.parentNode?.insertBefore(m,h);if(m._mounts)m._mounts.forEach((U)=>U());h=m}l=f});u(),s._cleanups.add(()=>E(u)),N(()=>E(u))}else{let r=L(t);if(s.appendChild(r),r._mounts)r._mounts.forEach((l)=>l())}};return c(n),s},j=(e)=>{let o=new Set,n=_,i=p,s=g.createElement("div");s.style.display="contents",s.setAttribute("role","presentation"),_={_cleanups:o},p=null;let c=(t)=>{if(!t)return;if(t._isRuntime)o.add(t.destroy),s.appendChild(t.container);else if(b(t))t.forEach(c);else s.appendChild(t instanceof Node?t:g.createTextNode(String(t==null?"":t)))};try{c(e({onCleanup:(t)=>o.add(t)}))}finally{_=n,p=i}return{_isRuntime:!0,container:s,destroy:()=>{o.forEach((t)=>t()),D(s),s.remove()}}},z=(e,o,n=null)=>{let i=g.createTextNode(""),s=O("div",{style:"display:contents"},[i]),c=null;return R(()=>!!(y(e)?e():e),(t)=>{if(c)c.destroy(),c=null;let r=t?o:n;if(r)c=j(()=>y(r)?r():r),s.insertBefore(c.container,i)}),N(()=>c?.destroy()),s},G=({name:e,duration:o=200,scale:n,slide:i,rotate:s,blur:c},t)=>{let r=typeof t==="function"?t():t;if(!(r instanceof Node))return r;if(e)return r.style.animation=`${e}-in ${o}ms`,r;let l=n||i||s||c,u=[n?"scale(0.95)":"",i?"translateY(-10px)":"",s?"rotate(-2deg)":""].filter(Boolean).join(" ");if(r.style.transition=`all ${o}ms ease`,r.style.opacity="0",l)r.style.transform=u;if(c)r.style.filter="blur(4px)";return requestAnimationFrame(()=>{if(r.style.opacity="1",l)r.style.transform="none";if(c)r.style.filter="none"}),r},K=(e,o,n)=>{let i=g.createTextNode(""),s=O("div",{style:"display:contents"},[i]),c=new Map;return R(()=>(y(e)?e():e)||[],(t)=>{let r=new Map,l=[],u=t||[];for(let f=0;f<u.length;f++){let h=u[f],d=n?h?.[n]??f:h?.id??f,m=c.get(d);if(!m)m=j(()=>o(h,f));else c.delete(d);r.set(d,m),l.push(m)}c.forEach((f)=>f.destroy());let a=i;for(let f=l.length-1;f>=0;f--){let d=l[f].container;if(d.nextSibling!==a)s.insertBefore(d,a);a=d}c=r}),s},v=(e)=>{let o=()=>window.location.hash.slice(1)||"/",n=S(o()),i=()=>n(o());window.addEventListener("hashchange",i),N(()=>window.removeEventListener("hashchange",i));let s=O("div",{class:"router-hook"}),c=null;return R([n],()=>{let t=n(),r=e.find((l)=>{let u=l.path.split("/").filter(Boolean),a=t.split("/").filter(Boolean);return u.length===a.length&&u.every((f,h)=>f[0]===":"||f===a[h])})||e.find((l)=>l.path==="*");if(r){c?.destroy();let l={};r.path.split("/").filter(Boolean).forEach((u,a)=>{if(u[0]===":")l[u.slice(1)]=t.split("/").filter(Boolean)[a]}),v.params(l),c=j(()=>y(r.component)?r.component(l):r.component),s.replaceChildren(c.container)}}),s};v.params=S({});v.to=(e)=>window.location.hash=e.replace(/^#?\/?/,"#/");v.back=()=>window.history.back();v.path=()=>window.location.hash.replace(/^#/,"")||"/";var Q=({url:e,method:o="GET",headers:n={}})=>{let i=S(!1),s=S(null),c=S(null),t=null,r=null;return{run:async(a=null)=>{t?.abort(),clearTimeout(r),t=new AbortController,r=setTimeout(()=>t.abort(),1e4),i(!0),s(null);try{let f=a instanceof FormData,h=await fetch(e,{method:o,headers:f?n:{"Content-Type":"application/json",...n},body:f?a:a?JSON.stringify(a):void 0,signal:t.signal}),d=await h.text(),m=d?JSON.parse(d):null;if(!h.ok)throw Error(m?.message||h.statusText);return c(m),m}catch(f){if(f.name!=="AbortError")s(f.message);throw f}finally{i(!1),clearTimeout(r),t=null,r=null}},abort:()=>t?.abort(),loading:i,error:s,data:c}},X=(e,o)=>{let n=typeof o==="string"?g.querySelector(o):o;if(!n)return;if(B.has(n))B.get(n).destroy();let i=j(y(e)?e:()=>e);return n.replaceChildren(i.container),B.set(n,i),i},H=Object.freeze({$:S,$$:I,watch:R,h:O,when:z,each:K,fx:G,router:v,req:Q,mount:X,batch:V}),Y=()=>{if(typeof window<"u")Object.assign(window,H),"a abbr article aside audio b blockquote br button canvas caption cite code col colgroup datalist dd del details dfn dialog div dl dt em embed fieldset figcaption figure footer form h1 h2 h3 h4 h5 h6 header hr i iframe img input ins kbd label legend li main mark meter nav object ol optgroup option output p picture pre progress section select slot small source span strong sub summary sup svg table tbody td template textarea tfoot th thead time tr u ul video".split(" ").forEach((e)=>{window[e]=(o,n)=>O(e,o,n)}),console.log("SigPro DX installed.")};if(typeof import.meta>"u"&&typeof window<"u")Y();export{z as when,R as watch,Y as sigpro,v as router,Q as req,X as mount,O as h,G as fx,K as each,V as batch,I as $$,S as $};
+var y=(e)=>typeof e==="function",D=(e)=>e&&typeof e==="object",b=Array.isArray,g=typeof document<"u"?document:null,L=(e)=>e?._isRuntime?e.container:e instanceof Node?e:g.createTextNode(e==null?"":String(e)),p=null,_=null,x=!1,O=0,R=new Set,U=new WeakMap,$=Symbol("iter"),k=new WeakMap,E=(e)=>{if(!e||e._disposed)return;e._disposed=!0;let o=[e];while(o.length){let n=o.pop();if(n._cleanups)n._cleanups.forEach((r)=>r()),n._cleanups.clear();if(n._children)n._children.forEach((r)=>o.push(r)),n._children.clear();if(n._deps)n._deps.forEach((r)=>r.delete(n)),n._deps.clear()}},S=(e)=>{if(_)(_._cleanups||=new Set).add(e)},V=(e)=>{let o=p;p=null;try{return e()}finally{p=o}},T=(e,o=!1)=>{let n=()=>{if(n._disposed)return;if(n._deps)n._deps.forEach((c)=>c.delete(n));if(n._cleanups)n._cleanups.forEach((c)=>c()),n._cleanups.clear();let r=p,s=_;p=_=n;try{return n._result=e()}catch(c){console.error("[SigPro]",c)}finally{p=r,_=s}};if(n._deps=n._cleanups=n._children=null,n._disposed=!1,n._isComputed=o,n._depth=p?p._depth+1:0,n._mounts=[],n._parent=_,_)(_._children||=new Set).add(n);return n},I=()=>{if(x)return;x=!0;let e=Array.from(R).sort((o,n)=>o._depth-n._depth);R.clear();for(let o of e)if(!o._disposed)o();x=!1},F=(e)=>{O++;try{return e()}finally{if(O--,O===0&&R.size>0&&!x)I()}},w=(e,o=!1)=>{if(!o&&p&&!p._disposed)e.add(p),(p._deps||=new Set).add(e);else if(o&&e.size>0){let n=!1;for(let r of e){if(r===p||r._disposed)continue;if(r._isComputed){if(r._dirty=!0,r._subs)w(r._subs,!0)}else R.add(r),n=!0}if(n&&!x&&O===0)queueMicrotask(I)}},N=(e,o=null)=>{let n=new Set;if(y(e)){let r,s=()=>{if(s._dirty){let c=p;p=s;try{let t=e();if(!Object.is(r,t))r=t,w(n,!0)}finally{p=c}s._dirty=!1}return w(n),r};if(s._isComputed=!0,s._subs=n,s._dirty=!0,s._deps=null,s._disposed=!1,s.stop=()=>{},_)S(s.stop);return s}if(o)try{e=JSON.parse(localStorage.getItem(o))??e}catch(r){}return(...r)=>{if(r.length){let s=y(r[0])?r[0](e):r[0];if(!Object.is(e,s)){if(e=s,o)localStorage.setItem(o,JSON.stringify(e));w(n,!0)}}return w(n),e}},M=(e)=>{if(!D(e))return e;let o=U.get(e);if(o)return o;let n=new Map,r=(c)=>{let t=n.get(c);if(!t)n.set(c,t=new Set);return t},s=new Proxy(e,{get(c,t,i){if(typeof t!=="symbol")w(r(t));return M(Reflect.get(c,t,i))},set(c,t,i,l){let a=Reflect.has(c,t),f=Reflect.get(c,t,l),u=Reflect.set(c,t,i,l);if(u&&!Object.is(f,i)){if(w(r(t),!0),!a)w(r($),!0)}return u},deleteProperty(c,t){let i=Reflect.deleteProperty(c,t);if(i)w(r(t),!0),w(r($),!0);return i},ownKeys(c){return w(r($)),Reflect.ownKeys(c)}});return U.set(e,s),s},C=(e,o)=>{if(o===void 0){let r=T(e);return r(),()=>E(r)}let n=T(()=>{let r=Array.isArray(e)?e.map((s)=>s()):e();V(()=>o(r))});return n(),()=>E(n)},P=(e)=>{if(!e)return;if(e._cleanups)e._cleanups.forEach((o)=>o()),e._cleanups.clear();if(e._ownerEffect)E(e._ownerEffect);if(e.childNodes)e.childNodes.forEach((o)=>P(o))},W=/^\s*(javascript|data|vbscript):/i,G=new Set(["src","href","formaction","action","background","code","archive"]),J=(e)=>G.has(e)||e.startsWith("on"),B=(e,o)=>{if(o==null||o===!1)return null;if(J(e)){let n=String(o);if(W.test(n))return console.warn(`[SigPro] Bloqueado protocolo peligroso en ${e}`),"#"}return o},A=(e,o={},n=[])=>{if(o instanceof Node||b(o)||!D(o))n=o,o={};if(y(e)){let t=T(()=>{let f=e(o,{children:n,emit:(u,...h)=>o[`on${u[0].toUpperCase()}${u.slice(1)}`]?.(...h)});return t._result=f,f});t();let i=t._result;if(i==null)return null;let l=i instanceof Node||b(i)&&i.every((f)=>f instanceof Node)?i:g.createTextNode(String(i)),a=(f)=>{if(D(f)&&!f._isRuntime)f._mounts=t._mounts||[],f._cleanups=t._cleanups||new Set,f._ownerEffect=t};return b(l)?l.forEach(a):a(l),l}let r=/^(svg|path|circle|rect|line|poly(line|gon)|g|defs|text(path)?|tspan|use|symbol|image|marker|ellipse)$/i.test(e),s=r?g.createElementNS("http://www.w3.org/2000/svg",e):g.createElement(e);s._cleanups=new Set;for(let t in o){if(!o.hasOwnProperty(t))continue;let i=o[t];if(t==="ref"){y(i)?i(s):i.current=s;continue}if(r&&t.startsWith("xlink:")){let l=B(t.slice(6),i),a="http://www.w3.org/1999/xlink";l==null?s.removeAttributeNS(a,t.slice(6)):s.setAttributeNS(a,t.slice(6),l);continue}if(t.startsWith("on")){let l=t.slice(2).toLowerCase();s.addEventListener(l,i);let a=()=>s.removeEventListener(l,i);s._cleanups.add(a),S(a)}else if(y(i)){let l=T(()=>{let a=B(t,i());if(t==="class")s.className=a||"";else if(a==null)s.removeAttribute(t);else if(t in s&&!r)s[t]=a;else s.setAttribute(t,a===!0?"":a)});if(l(),s._cleanups.add(()=>E(l)),S(()=>E(l)),/^(INPUT|TEXTAREA|SELECT)$/.test(s.tagName)&&(t==="value"||t==="checked")){let a=t==="checked"?"change":"input";s.addEventListener(a,(f)=>i(f.target[t]))}}else{let l=B(t,i);if(l!=null)if(t in s&&!r)s[t]=l;else s.setAttribute(t,l===!0?"":l)}}let c=(t)=>{if(b(t))return t.forEach(c);if(y(t)){let i=g.createTextNode("");s.appendChild(i);let l=[],a=T(()=>{let f=t(),u=(b(f)?f:[f]).map(L);l.forEach((d)=>{if(d._isRuntime)d.destroy();else P(d);if(d.parentNode)d.remove()});let h=i;for(let d=u.length-1;d>=0;d--){let m=u[d];if(m.parentNode!==h.parentNode)h.parentNode?.insertBefore(m,h);if(m._mounts)m._mounts.forEach((q)=>q());h=m}l=u});a(),s._cleanups.add(()=>E(a)),S(()=>E(a))}else{let i=L(t);if(s.appendChild(i),i._mounts)i._mounts.forEach((l)=>l())}};return c(n),s},j=(e)=>{let o=new Set,n=_,r=p,s=g.createElement("div");s.style.display="contents",s.setAttribute("role","presentation"),_={_cleanups:o},p=null;let c=(t)=>{if(!t)return;if(t._isRuntime)o.add(t.destroy),s.appendChild(t.container);else if(b(t))t.forEach(c);else s.appendChild(t instanceof Node?t:g.createTextNode(String(t==null?"":t)))};try{c(e({onCleanup:(t)=>o.add(t)}))}finally{_=n,p=r}return{_isRuntime:!0,container:s,destroy:()=>{o.forEach((t)=>t()),P(s),s.remove()}}},z=(e,o,n=null)=>{let r=g.createTextNode(""),s=A("div",{style:"display:contents"},[r]),c=null;return C(()=>!!(y(e)?e():e),(t)=>{if(c)c.destroy(),c=null;let i=t?o:n;if(i)c=j(()=>y(i)?i():i),s.insertBefore(c.container,r)}),S(()=>c?.destroy()),s},K=({name:e,duration:o=200,scale:n,slide:r,rotate:s,blur:c},t)=>{let i=typeof t==="function"?t():t;if(!(i instanceof Node))return i;if(e)return i.style.animation=`${e}-in ${o}ms`,i;let l=n||r||s||c,a=[n?"scale(0.95)":"",r?"translateY(-10px)":"",s?"rotate(-2deg)":""].filter(Boolean).join(" ");if(i.style.transition=`all ${o}ms ease`,i.style.opacity="0",l)i.style.transform=a;if(c)i.style.filter="blur(4px)";return requestAnimationFrame(()=>{if(i.style.opacity="1",l)i.style.transform="none";if(c)i.style.filter="none"}),i},Q=(e,o,n)=>{let r=g.createTextNode(""),s=A("div",{style:"display:contents"},[r]),c=new Map;return C(()=>(y(e)?e():e)||[],(t)=>{let i=new Map,l=[],a=t||[];for(let u=0;u<a.length;u++){let h=a[u],d=n?h?.[n]??u:h?.id??u,m=c.get(d);if(!m)m=j(()=>o(h,u));else c.delete(d);i.set(d,m),l.push(m)}c.forEach((u)=>u.destroy());let f=r;for(let u=l.length-1;u>=0;u--){let d=l[u].container;if(d.nextSibling!==f)s.insertBefore(d,f);f=d}c=i}),s},v=(e)=>{let o=()=>window.location.hash.slice(1)||"/",n=N(o()),r=()=>n(o());window.addEventListener("hashchange",r),S(()=>window.removeEventListener("hashchange",r));let s=A("div",{class:"router-hook"}),c=null;return C([n],()=>{let t=n(),i=e.find((l)=>{let a=l.path.split("/").filter(Boolean),f=t.split("/").filter(Boolean);return a.length===f.length&&a.every((u,h)=>u[0]===":"||u===f[h])})||e.find((l)=>l.path==="*");if(i){c?.destroy();let l={};i.path.split("/").filter(Boolean).forEach((a,f)=>{if(a[0]===":")l[a.slice(1)]=t.split("/").filter(Boolean)[f]}),v.params(l),c=j(()=>y(i.component)?i.component(l):i.component),s.replaceChildren(c.container)}}),s};v.params=N({});v.to=(e)=>window.location.hash=e.replace(/^#?\/?/,"#/");v.back=()=>window.history.back();v.path=()=>window.location.hash.replace(/^#/,"")||"/";var X=({url:e,method:o="GET",headers:n={}})=>{let r=N(!1),s=N(null),c=N(null),t=null,i=null;return{run:async(f=null)=>{t?.abort(),clearTimeout(i),t=new AbortController,i=setTimeout(()=>t.abort(),1e4),r(!0),s(null);try{let u=f instanceof FormData,h=await fetch(e,{method:o,headers:u?n:{"Content-Type":"application/json",...n},body:u?f:f?JSON.stringify(f):void 0,signal:t.signal}),d=await h.text(),m=d?JSON.parse(d):null;if(!h.ok)throw Error(m?.message||h.statusText);return c(m),m}catch(u){if(u.name!=="AbortError")s(u.message);throw u}finally{r(!1),clearTimeout(i),t=null,i=null}},abort:()=>t?.abort(),loading:r,error:s,data:c}},H=(e,o)=>{let n=typeof o==="string"?g.querySelector(o):o;if(!n)return;if(k.has(n))k.get(n).destroy();let r=j(y(e)?e:()=>e);return n.replaceChildren(r.container),k.set(n,r),r},Y=Object.freeze({$:N,$$:M,watch:C,h:A,when:z,each:Q,fx:K,router:v,req:X,mount:H,batch:F}),Z=()=>{if(typeof window<"u")Object.assign(window,Y),"a abbr article aside audio b blockquote br button canvas caption cite code col colgroup datalist dd del details dfn dialog div dl dt em embed fieldset figcaption figure footer form h1 h2 h3 h4 h5 h6 header hr i iframe img input ins kbd label legend li main mark meter nav object ol optgroup option output p picture pre progress section select slot small source span strong sub summary sup svg table tbody td template textarea tfoot th thead time tr u ul video".split(" ").forEach((e)=>{window[e]=(o,n)=>A(e,o,n)}),console.log("SigPro DX installed.")};if(typeof import.meta>"u"&&typeof window<"u")Z();export{z as when,C as watch,Z as sigpro,v as router,X as req,H as mount,A as h,K as fx,Q as each,F as batch,M as $$,N as $};
diff --git a/dist/sigpro.js b/dist/sigpro.js
index 34f8d78..6d02f8e 100644
--- a/dist/sigpro.js
+++ b/dist/sigpro.js
@@ -300,7 +300,8 @@
       node.childNodes.forEach((n) => cleanupNode(n));
   };
   var DANGEROUS_PROTOCOL = /^\s*(javascript|data|vbscript):/i;
-  var isDangerousAttr = (key) => key === "src" || key === "href" || key.startsWith("on");
+  var DANGEROUS_URI_ATTRS = new Set(["src", "href", "formaction", "action", "background", "code", "archive"]);
+  var isDangerousAttr = (key) => DANGEROUS_URI_ATTRS.has(key) || key.startsWith("on");
   var validateAttr = (key, val) => {
     if (val == null || val === false)
       return null;
@@ -354,8 +355,9 @@
         continue;
       }
       if (isSVG && k.startsWith("xlink:")) {
-        const ns = "http://www.w3.org/1999/xlink";
-        v == null ? el.removeAttributeNS(ns, k.slice(6)) : el.setAttributeNS(ns, k.slice(6), v);
+        const cleanVal = validateAttr(k.slice(6), v);
+        let lnk = "http://www.w3.org/1999/xlink";
+        cleanVal == null ? el.removeAttributeNS(lnk, k.slice(6)) : el.setAttributeNS(lnk, k.slice(6), cleanVal);
         continue;
       }
       if (k.startsWith("on")) {
diff --git a/dist/sigpro.min.js b/dist/sigpro.min.js
index 3508e59..134032b 100644
--- a/dist/sigpro.min.js
+++ b/dist/sigpro.min.js
@@ -1 +1 @@
-(()=>{var{defineProperty:$,getOwnPropertyNames:H,getOwnPropertyDescriptor:Y}=Object,Z=Object.prototype.hasOwnProperty;function ee(e){return this[e]}var te=(e)=>{var o=(M??=new WeakMap).get(e),n;if(o)return o;if(o=$({},"__esModule",{value:!0}),e&&typeof e==="object"||typeof e==="function"){for(var s of H(e))if(!Z.call(o,s))$(o,s,{get:ee.bind(e,s),enumerable:!(n=Y(e,s))||n.enumerable})}return M.set(e,o),o},M;var ne=(e)=>e;function oe(e,o){this[e]=ne.bind(null,o)}var se=(e,o)=>{for(var n in o)$(e,n,{get:o[n],enumerable:!0,configurable:!0,set:oe.bind(o,n)})};var ae={};se(ae,{when:()=>W,watch:()=>A,sigpro:()=>Q,router:()=>N,req:()=>G,mount:()=>K,h:()=>x,fx:()=>J,each:()=>z,batch:()=>V,$$:()=>L,$:()=>b});var y=(e)=>typeof e==="function",D=(e)=>e&&typeof e==="object",S=Array.isArray,g=typeof document<"u"?document:null,q=(e)=>e?._isRuntime?e.container:e instanceof Node?e:g.createTextNode(e==null?"":String(e)),p=null,_=null,T=!1,C=0,R=new Set,I=new WeakMap,B=Symbol("iter"),P=new WeakMap,E=(e)=>{if(!e||e._disposed)return;e._disposed=!0;let o=[e];while(o.length){let n=o.pop();if(n._cleanups)n._cleanups.forEach((s)=>s()),n._cleanups.clear();if(n._children)n._children.forEach((s)=>o.push(s)),n._children.clear();if(n._deps)n._deps.forEach((s)=>s.delete(n)),n._deps.clear()}},v=(e)=>{if(_)(_._cleanups||=new Set).add(e)},re=(e)=>{let o=p;p=null;try{return e()}finally{p=o}},O=(e,o=!1)=>{let n=()=>{if(n._disposed)return;if(n._deps)n._deps.forEach((c)=>c.delete(n));if(n._cleanups)n._cleanups.forEach((c)=>c()),n._cleanups.clear();let s=p,r=_;p=_=n;try{return n._result=e()}catch(c){console.error("[SigPro]",c)}finally{p=s,_=r}};if(n._deps=n._cleanups=n._children=null,n._disposed=!1,n._isComputed=o,n._depth=p?p._depth+1:0,n._mounts=[],n._parent=_,_)(_._children||=new Set).add(n);return n},F=()=>{if(T)return;T=!0;let e=Array.from(R).sort((o,n)=>o._depth-n._depth);R.clear();for(let o of e)if(!o._disposed)o();T=!1},V=(e)=>{C++;try{return e()}finally{if(C--,C===0&&R.size>0&&!T)F()}},w=(e,o=!1)=>{if(!o&&p&&!p._disposed)e.add(p),(p._deps||=new Set).add(e);else if(o&&e.size>0){let n=!1;for(let s of e){if(s===p||s._disposed)continue;if(s._isComputed){if(s._dirty=!0,s._subs)w(s._subs,!0)}else R.add(s),n=!0}if(n&&!T&&C===0)queueMicrotask(F)}},b=(e,o=null)=>{let n=new Set;if(y(e)){let s,r=()=>{if(r._dirty){let c=p;p=r;try{let t=e();if(!Object.is(s,t))s=t,w(n,!0)}finally{p=c}r._dirty=!1}return w(n),s};if(r._isComputed=!0,r._subs=n,r._dirty=!0,r._deps=null,r._disposed=!1,r.stop=()=>{},_)v(r.stop);return r}if(o)try{e=JSON.parse(localStorage.getItem(o))??e}catch(s){}return(...s)=>{if(s.length){let r=y(s[0])?s[0](e):s[0];if(!Object.is(e,r)){if(e=r,o)localStorage.setItem(o,JSON.stringify(e));w(n,!0)}}return w(n),e}},L=(e)=>{if(!D(e))return e;let o=I.get(e);if(o)return o;let n=new Map,s=(c)=>{let t=n.get(c);if(!t)n.set(c,t=new Set);return t},r=new Proxy(e,{get(c,t,i){if(typeof t!=="symbol")w(s(t));return L(Reflect.get(c,t,i))},set(c,t,i,l){let u=Reflect.has(c,t),a=Reflect.get(c,t,l),f=Reflect.set(c,t,i,l);if(f&&!Object.is(a,i)){if(w(s(t),!0),!u)w(s(B),!0)}return f},deleteProperty(c,t){let i=Reflect.deleteProperty(c,t);if(i)w(s(t),!0),w(s(B),!0);return i},ownKeys(c){return w(s(B)),Reflect.ownKeys(c)}});return I.set(e,r),r},A=(e,o)=>{if(o===void 0){let s=O(e);return s(),()=>E(s)}let n=O(()=>{let s=Array.isArray(e)?e.map((r)=>r()):e();re(()=>o(s))});return n(),()=>E(n)},k=(e)=>{if(!e)return;if(e._cleanups)e._cleanups.forEach((o)=>o()),e._cleanups.clear();if(e._ownerEffect)E(e._ownerEffect);if(e.childNodes)e.childNodes.forEach((o)=>k(o))},ie=/^\s*(javascript|data|vbscript):/i,ce=(e)=>e==="src"||e==="href"||e.startsWith("on"),U=(e,o)=>{if(o==null||o===!1)return null;if(ce(e)){let n=String(o);if(ie.test(n))return console.warn(`[SigPro] Bloqueado protocolo peligroso en ${e}`),"#"}return o},x=(e,o={},n=[])=>{if(o instanceof Node||S(o)||!D(o))n=o,o={};if(y(e)){let t=O(()=>{let a=e(o,{children:n,emit:(f,...h)=>o[`on${f[0].toUpperCase()}${f.slice(1)}`]?.(...h)});return t._result=a,a});t();let i=t._result;if(i==null)return null;let l=i instanceof Node||S(i)&&i.every((a)=>a instanceof Node)?i:g.createTextNode(String(i)),u=(a)=>{if(D(a)&&!a._isRuntime)a._mounts=t._mounts||[],a._cleanups=t._cleanups||new Set,a._ownerEffect=t};return S(l)?l.forEach(u):u(l),l}let s=/^(svg|path|circle|rect|line|poly(line|gon)|g|defs|text(path)?|tspan|use|symbol|image|marker|ellipse)$/i.test(e),r=s?g.createElementNS("http://www.w3.org/2000/svg",e):g.createElement(e);r._cleanups=new Set;for(let t in o){if(!o.hasOwnProperty(t))continue;let i=o[t];if(t==="ref"){y(i)?i(r):i.current=r;continue}if(s&&t.startsWith("xlink:")){i==null?r.removeAttributeNS("http://www.w3.org/1999/xlink",t.slice(6)):r.setAttributeNS("http://www.w3.org/1999/xlink",t.slice(6),i);continue}if(t.startsWith("on")){let l=t.slice(2).toLowerCase();r.addEventListener(l,i);let u=()=>r.removeEventListener(l,i);r._cleanups.add(u),v(u)}else if(y(i)){let l=O(()=>{let u=U(t,i());if(t==="class")r.className=u||"";else if(u==null)r.removeAttribute(t);else if(t in r&&!s)r[t]=u;else r.setAttribute(t,u===!0?"":u)});if(l(),r._cleanups.add(()=>E(l)),v(()=>E(l)),/^(INPUT|TEXTAREA|SELECT)$/.test(r.tagName)&&(t==="value"||t==="checked")){let u=t==="checked"?"change":"input";r.addEventListener(u,(a)=>i(a.target[t]))}}else{let l=U(t,i);if(l!=null)if(t in r&&!s)r[t]=l;else r.setAttribute(t,l===!0?"":l)}}let c=(t)=>{if(S(t))return t.forEach(c);if(y(t)){let i=g.createTextNode("");r.appendChild(i);let l=[],u=O(()=>{let a=t(),f=(S(a)?a:[a]).map(q);l.forEach((d)=>{if(d._isRuntime)d.destroy();else k(d);if(d.parentNode)d.remove()});let h=i;for(let d=f.length-1;d>=0;d--){let m=f[d];if(m.parentNode!==h.parentNode)h.parentNode?.insertBefore(m,h);if(m._mounts)m._mounts.forEach((X)=>X());h=m}l=f});u(),r._cleanups.add(()=>E(u)),v(()=>E(u))}else{let i=q(t);if(r.appendChild(i),i._mounts)i._mounts.forEach((l)=>l())}};return c(n),r},j=(e)=>{let o=new Set,n=_,s=p,r=g.createElement("div");r.style.display="contents",r.setAttribute("role","presentation"),_={_cleanups:o},p=null;let c=(t)=>{if(!t)return;if(t._isRuntime)o.add(t.destroy),r.appendChild(t.container);else if(S(t))t.forEach(c);else r.appendChild(t instanceof Node?t:g.createTextNode(String(t==null?"":t)))};try{c(e({onCleanup:(t)=>o.add(t)}))}finally{_=n,p=s}return{_isRuntime:!0,container:r,destroy:()=>{o.forEach((t)=>t()),k(r),r.remove()}}},W=(e,o,n=null)=>{let s=g.createTextNode(""),r=x("div",{style:"display:contents"},[s]),c=null;return A(()=>!!(y(e)?e():e),(t)=>{if(c)c.destroy(),c=null;let i=t?o:n;if(i)c=j(()=>y(i)?i():i),r.insertBefore(c.container,s)}),v(()=>c?.destroy()),r},J=({name:e,duration:o=200,scale:n,slide:s,rotate:r,blur:c},t)=>{let i=typeof t==="function"?t():t;if(!(i instanceof Node))return i;if(e)return i.style.animation=`${e}-in ${o}ms`,i;let l=n||s||r||c,u=[n?"scale(0.95)":"",s?"translateY(-10px)":"",r?"rotate(-2deg)":""].filter(Boolean).join(" ");if(i.style.transition=`all ${o}ms ease`,i.style.opacity="0",l)i.style.transform=u;if(c)i.style.filter="blur(4px)";return requestAnimationFrame(()=>{if(i.style.opacity="1",l)i.style.transform="none";if(c)i.style.filter="none"}),i},z=(e,o,n)=>{let s=g.createTextNode(""),r=x("div",{style:"display:contents"},[s]),c=new Map;return A(()=>(y(e)?e():e)||[],(t)=>{let i=new Map,l=[],u=t||[];for(let f=0;f<u.length;f++){let h=u[f],d=n?h?.[n]??f:h?.id??f,m=c.get(d);if(!m)m=j(()=>o(h,f));else c.delete(d);i.set(d,m),l.push(m)}c.forEach((f)=>f.destroy());let a=s;for(let f=l.length-1;f>=0;f--){let d=l[f].container;if(d.nextSibling!==a)r.insertBefore(d,a);a=d}c=i}),r},N=(e)=>{let o=()=>window.location.hash.slice(1)||"/",n=b(o()),s=()=>n(o());window.addEventListener("hashchange",s),v(()=>window.removeEventListener("hashchange",s));let r=x("div",{class:"router-hook"}),c=null;return A([n],()=>{let t=n(),i=e.find((l)=>{let u=l.path.split("/").filter(Boolean),a=t.split("/").filter(Boolean);return u.length===a.length&&u.every((f,h)=>f[0]===":"||f===a[h])})||e.find((l)=>l.path==="*");if(i){c?.destroy();let l={};i.path.split("/").filter(Boolean).forEach((u,a)=>{if(u[0]===":")l[u.slice(1)]=t.split("/").filter(Boolean)[a]}),N.params(l),c=j(()=>y(i.component)?i.component(l):i.component),r.replaceChildren(c.container)}}),r};N.params=b({});N.to=(e)=>window.location.hash=e.replace(/^#?\/?/,"#/");N.back=()=>window.history.back();N.path=()=>window.location.hash.replace(/^#/,"")||"/";var G=({url:e,method:o="GET",headers:n={}})=>{let s=b(!1),r=b(null),c=b(null),t=null,i=null;return{run:async(a=null)=>{t?.abort(),clearTimeout(i),t=new AbortController,i=setTimeout(()=>t.abort(),1e4),s(!0),r(null);try{let f=a instanceof FormData,h=await fetch(e,{method:o,headers:f?n:{"Content-Type":"application/json",...n},body:f?a:a?JSON.stringify(a):void 0,signal:t.signal}),d=await h.text(),m=d?JSON.parse(d):null;if(!h.ok)throw Error(m?.message||h.statusText);return c(m),m}catch(f){if(f.name!=="AbortError")r(f.message);throw f}finally{s(!1),clearTimeout(i),t=null,i=null}},abort:()=>t?.abort(),loading:s,error:r,data:c}},K=(e,o)=>{let n=typeof o==="string"?g.querySelector(o):o;if(!n)return;if(P.has(n))P.get(n).destroy();let s=j(y(e)?e:()=>e);return n.replaceChildren(s.container),P.set(n,s),s},le=Object.freeze({$:b,$$:L,watch:A,h:x,when:W,each:z,fx:J,router:N,req:G,mount:K,batch:V}),Q=()=>{if(typeof window<"u")Object.assign(window,le),"a abbr article aside audio b blockquote br button canvas caption cite code col colgroup datalist dd del details dfn dialog div dl dt em embed fieldset figcaption figure footer form h1 h2 h3 h4 h5 h6 header hr i iframe img input ins kbd label legend li main mark meter nav object ol optgroup option output p picture pre progress section select slot small source span strong sub summary sup svg table tbody td template textarea tfoot th thead time tr u ul video".split(" ").forEach((e)=>{window[e]=(o,n)=>x(e,o,n)}),console.log("SigPro DX installed.")};if(typeof import.meta>"u"&&typeof window<"u")Q();})();
+(()=>{var{defineProperty:$,getOwnPropertyNames:H,getOwnPropertyDescriptor:Y}=Object,Z=Object.prototype.hasOwnProperty;function ee(e){return this[e]}var te=(e)=>{var o=(I??=new WeakMap).get(e),n;if(o)return o;if(o=$({},"__esModule",{value:!0}),e&&typeof e==="object"||typeof e==="function"){for(var s of H(e))if(!Z.call(o,s))$(o,s,{get:ee.bind(e,s),enumerable:!(n=Y(e,s))||n.enumerable})}return I.set(e,o),o},I;var ne=(e)=>e;function oe(e,o){this[e]=ne.bind(null,o)}var se=(e,o)=>{for(var n in o)$(e,n,{get:o[n],enumerable:!0,configurable:!0,set:oe.bind(o,n)})};var fe={};se(fe,{when:()=>W,watch:()=>O,sigpro:()=>Q,router:()=>S,req:()=>z,mount:()=>K,h:()=>x,fx:()=>G,each:()=>J,batch:()=>F,$$:()=>L,$:()=>b});var y=(e)=>typeof e==="function",P=(e)=>e&&typeof e==="object",N=Array.isArray,g=typeof document<"u"?document:null,M=(e)=>e?._isRuntime?e.container:e instanceof Node?e:g.createTextNode(e==null?"":String(e)),p=null,_=null,T=!1,R=0,C=new Set,q=new WeakMap,k=Symbol("iter"),B=new WeakMap,E=(e)=>{if(!e||e._disposed)return;e._disposed=!0;let o=[e];while(o.length){let n=o.pop();if(n._cleanups)n._cleanups.forEach((s)=>s()),n._cleanups.clear();if(n._children)n._children.forEach((s)=>o.push(s)),n._children.clear();if(n._deps)n._deps.forEach((s)=>s.delete(n)),n._deps.clear()}},v=(e)=>{if(_)(_._cleanups||=new Set).add(e)},re=(e)=>{let o=p;p=null;try{return e()}finally{p=o}},A=(e,o=!1)=>{let n=()=>{if(n._disposed)return;if(n._deps)n._deps.forEach((c)=>c.delete(n));if(n._cleanups)n._cleanups.forEach((c)=>c()),n._cleanups.clear();let s=p,r=_;p=_=n;try{return n._result=e()}catch(c){console.error("[SigPro]",c)}finally{p=s,_=r}};if(n._deps=n._cleanups=n._children=null,n._disposed=!1,n._isComputed=o,n._depth=p?p._depth+1:0,n._mounts=[],n._parent=_,_)(_._children||=new Set).add(n);return n},V=()=>{if(T)return;T=!0;let e=Array.from(C).sort((o,n)=>o._depth-n._depth);C.clear();for(let o of e)if(!o._disposed)o();T=!1},F=(e)=>{R++;try{return e()}finally{if(R--,R===0&&C.size>0&&!T)V()}},w=(e,o=!1)=>{if(!o&&p&&!p._disposed)e.add(p),(p._deps||=new Set).add(e);else if(o&&e.size>0){let n=!1;for(let s of e){if(s===p||s._disposed)continue;if(s._isComputed){if(s._dirty=!0,s._subs)w(s._subs,!0)}else C.add(s),n=!0}if(n&&!T&&R===0)queueMicrotask(V)}},b=(e,o=null)=>{let n=new Set;if(y(e)){let s,r=()=>{if(r._dirty){let c=p;p=r;try{let t=e();if(!Object.is(s,t))s=t,w(n,!0)}finally{p=c}r._dirty=!1}return w(n),s};if(r._isComputed=!0,r._subs=n,r._dirty=!0,r._deps=null,r._disposed=!1,r.stop=()=>{},_)v(r.stop);return r}if(o)try{e=JSON.parse(localStorage.getItem(o))??e}catch(s){}return(...s)=>{if(s.length){let r=y(s[0])?s[0](e):s[0];if(!Object.is(e,r)){if(e=r,o)localStorage.setItem(o,JSON.stringify(e));w(n,!0)}}return w(n),e}},L=(e)=>{if(!P(e))return e;let o=q.get(e);if(o)return o;let n=new Map,s=(c)=>{let t=n.get(c);if(!t)n.set(c,t=new Set);return t},r=new Proxy(e,{get(c,t,i){if(typeof t!=="symbol")w(s(t));return L(Reflect.get(c,t,i))},set(c,t,i,l){let a=Reflect.has(c,t),f=Reflect.get(c,t,l),u=Reflect.set(c,t,i,l);if(u&&!Object.is(f,i)){if(w(s(t),!0),!a)w(s(k),!0)}return u},deleteProperty(c,t){let i=Reflect.deleteProperty(c,t);if(i)w(s(t),!0),w(s(k),!0);return i},ownKeys(c){return w(s(k)),Reflect.ownKeys(c)}});return q.set(e,r),r},O=(e,o)=>{if(o===void 0){let s=A(e);return s(),()=>E(s)}let n=A(()=>{let s=Array.isArray(e)?e.map((r)=>r()):e();re(()=>o(s))});return n(),()=>E(n)},U=(e)=>{if(!e)return;if(e._cleanups)e._cleanups.forEach((o)=>o()),e._cleanups.clear();if(e._ownerEffect)E(e._ownerEffect);if(e.childNodes)e.childNodes.forEach((o)=>U(o))},ie=/^\s*(javascript|data|vbscript):/i,ce=new Set(["src","href","formaction","action","background","code","archive"]),le=(e)=>ce.has(e)||e.startsWith("on"),D=(e,o)=>{if(o==null||o===!1)return null;if(le(e)){let n=String(o);if(ie.test(n))return console.warn(`[SigPro] Bloqueado protocolo peligroso en ${e}`),"#"}return o},x=(e,o={},n=[])=>{if(o instanceof Node||N(o)||!P(o))n=o,o={};if(y(e)){let t=A(()=>{let f=e(o,{children:n,emit:(u,...h)=>o[`on${u[0].toUpperCase()}${u.slice(1)}`]?.(...h)});return t._result=f,f});t();let i=t._result;if(i==null)return null;let l=i instanceof Node||N(i)&&i.every((f)=>f instanceof Node)?i:g.createTextNode(String(i)),a=(f)=>{if(P(f)&&!f._isRuntime)f._mounts=t._mounts||[],f._cleanups=t._cleanups||new Set,f._ownerEffect=t};return N(l)?l.forEach(a):a(l),l}let s=/^(svg|path|circle|rect|line|poly(line|gon)|g|defs|text(path)?|tspan|use|symbol|image|marker|ellipse)$/i.test(e),r=s?g.createElementNS("http://www.w3.org/2000/svg",e):g.createElement(e);r._cleanups=new Set;for(let t in o){if(!o.hasOwnProperty(t))continue;let i=o[t];if(t==="ref"){y(i)?i(r):i.current=r;continue}if(s&&t.startsWith("xlink:")){let l=D(t.slice(6),i),a="http://www.w3.org/1999/xlink";l==null?r.removeAttributeNS(a,t.slice(6)):r.setAttributeNS(a,t.slice(6),l);continue}if(t.startsWith("on")){let l=t.slice(2).toLowerCase();r.addEventListener(l,i);let a=()=>r.removeEventListener(l,i);r._cleanups.add(a),v(a)}else if(y(i)){let l=A(()=>{let a=D(t,i());if(t==="class")r.className=a||"";else if(a==null)r.removeAttribute(t);else if(t in r&&!s)r[t]=a;else r.setAttribute(t,a===!0?"":a)});if(l(),r._cleanups.add(()=>E(l)),v(()=>E(l)),/^(INPUT|TEXTAREA|SELECT)$/.test(r.tagName)&&(t==="value"||t==="checked")){let a=t==="checked"?"change":"input";r.addEventListener(a,(f)=>i(f.target[t]))}}else{let l=D(t,i);if(l!=null)if(t in r&&!s)r[t]=l;else r.setAttribute(t,l===!0?"":l)}}let c=(t)=>{if(N(t))return t.forEach(c);if(y(t)){let i=g.createTextNode("");r.appendChild(i);let l=[],a=A(()=>{let f=t(),u=(N(f)?f:[f]).map(M);l.forEach((d)=>{if(d._isRuntime)d.destroy();else U(d);if(d.parentNode)d.remove()});let h=i;for(let d=u.length-1;d>=0;d--){let m=u[d];if(m.parentNode!==h.parentNode)h.parentNode?.insertBefore(m,h);if(m._mounts)m._mounts.forEach((X)=>X());h=m}l=u});a(),r._cleanups.add(()=>E(a)),v(()=>E(a))}else{let i=M(t);if(r.appendChild(i),i._mounts)i._mounts.forEach((l)=>l())}};return c(n),r},j=(e)=>{let o=new Set,n=_,s=p,r=g.createElement("div");r.style.display="contents",r.setAttribute("role","presentation"),_={_cleanups:o},p=null;let c=(t)=>{if(!t)return;if(t._isRuntime)o.add(t.destroy),r.appendChild(t.container);else if(N(t))t.forEach(c);else r.appendChild(t instanceof Node?t:g.createTextNode(String(t==null?"":t)))};try{c(e({onCleanup:(t)=>o.add(t)}))}finally{_=n,p=s}return{_isRuntime:!0,container:r,destroy:()=>{o.forEach((t)=>t()),U(r),r.remove()}}},W=(e,o,n=null)=>{let s=g.createTextNode(""),r=x("div",{style:"display:contents"},[s]),c=null;return O(()=>!!(y(e)?e():e),(t)=>{if(c)c.destroy(),c=null;let i=t?o:n;if(i)c=j(()=>y(i)?i():i),r.insertBefore(c.container,s)}),v(()=>c?.destroy()),r},G=({name:e,duration:o=200,scale:n,slide:s,rotate:r,blur:c},t)=>{let i=typeof t==="function"?t():t;if(!(i instanceof Node))return i;if(e)return i.style.animation=`${e}-in ${o}ms`,i;let l=n||s||r||c,a=[n?"scale(0.95)":"",s?"translateY(-10px)":"",r?"rotate(-2deg)":""].filter(Boolean).join(" ");if(i.style.transition=`all ${o}ms ease`,i.style.opacity="0",l)i.style.transform=a;if(c)i.style.filter="blur(4px)";return requestAnimationFrame(()=>{if(i.style.opacity="1",l)i.style.transform="none";if(c)i.style.filter="none"}),i},J=(e,o,n)=>{let s=g.createTextNode(""),r=x("div",{style:"display:contents"},[s]),c=new Map;return O(()=>(y(e)?e():e)||[],(t)=>{let i=new Map,l=[],a=t||[];for(let u=0;u<a.length;u++){let h=a[u],d=n?h?.[n]??u:h?.id??u,m=c.get(d);if(!m)m=j(()=>o(h,u));else c.delete(d);i.set(d,m),l.push(m)}c.forEach((u)=>u.destroy());let f=s;for(let u=l.length-1;u>=0;u--){let d=l[u].container;if(d.nextSibling!==f)r.insertBefore(d,f);f=d}c=i}),r},S=(e)=>{let o=()=>window.location.hash.slice(1)||"/",n=b(o()),s=()=>n(o());window.addEventListener("hashchange",s),v(()=>window.removeEventListener("hashchange",s));let r=x("div",{class:"router-hook"}),c=null;return O([n],()=>{let t=n(),i=e.find((l)=>{let a=l.path.split("/").filter(Boolean),f=t.split("/").filter(Boolean);return a.length===f.length&&a.every((u,h)=>u[0]===":"||u===f[h])})||e.find((l)=>l.path==="*");if(i){c?.destroy();let l={};i.path.split("/").filter(Boolean).forEach((a,f)=>{if(a[0]===":")l[a.slice(1)]=t.split("/").filter(Boolean)[f]}),S.params(l),c=j(()=>y(i.component)?i.component(l):i.component),r.replaceChildren(c.container)}}),r};S.params=b({});S.to=(e)=>window.location.hash=e.replace(/^#?\/?/,"#/");S.back=()=>window.history.back();S.path=()=>window.location.hash.replace(/^#/,"")||"/";var z=({url:e,method:o="GET",headers:n={}})=>{let s=b(!1),r=b(null),c=b(null),t=null,i=null;return{run:async(f=null)=>{t?.abort(),clearTimeout(i),t=new AbortController,i=setTimeout(()=>t.abort(),1e4),s(!0),r(null);try{let u=f instanceof FormData,h=await fetch(e,{method:o,headers:u?n:{"Content-Type":"application/json",...n},body:u?f:f?JSON.stringify(f):void 0,signal:t.signal}),d=await h.text(),m=d?JSON.parse(d):null;if(!h.ok)throw Error(m?.message||h.statusText);return c(m),m}catch(u){if(u.name!=="AbortError")r(u.message);throw u}finally{s(!1),clearTimeout(i),t=null,i=null}},abort:()=>t?.abort(),loading:s,error:r,data:c}},K=(e,o)=>{let n=typeof o==="string"?g.querySelector(o):o;if(!n)return;if(B.has(n))B.get(n).destroy();let s=j(y(e)?e:()=>e);return n.replaceChildren(s.container),B.set(n,s),s},ae=Object.freeze({$:b,$$:L,watch:O,h:x,when:W,each:J,fx:G,router:S,req:z,mount:K,batch:F}),Q=()=>{if(typeof window<"u")Object.assign(window,ae),"a abbr article aside audio b blockquote br button canvas caption cite code col colgroup datalist dd del details dfn dialog div dl dt em embed fieldset figcaption figure footer form h1 h2 h3 h4 h5 h6 header hr i iframe img input ins kbd label legend li main mark meter nav object ol optgroup option output p picture pre progress section select slot small source span strong sub summary sup svg table tbody td template textarea tfoot th thead time tr u ul video".split(" ").forEach((e)=>{window[e]=(o,n)=>x(e,o,n)}),console.log("SigPro DX installed.")};if(typeof import.meta>"u"&&typeof window<"u")Q();})();
diff --git a/docs/sigpro.js b/docs/sigpro.js
index 34f8d78..6d02f8e 100644
--- a/docs/sigpro.js
+++ b/docs/sigpro.js
@@ -300,7 +300,8 @@
       node.childNodes.forEach((n) => cleanupNode(n));
   };
   var DANGEROUS_PROTOCOL = /^\s*(javascript|data|vbscript):/i;
-  var isDangerousAttr = (key) => key === "src" || key === "href" || key.startsWith("on");
+  var DANGEROUS_URI_ATTRS = new Set(["src", "href", "formaction", "action", "background", "code", "archive"]);
+  var isDangerousAttr = (key) => DANGEROUS_URI_ATTRS.has(key) || key.startsWith("on");
   var validateAttr = (key, val) => {
     if (val == null || val === false)
       return null;
@@ -354,8 +355,9 @@
         continue;
       }
       if (isSVG && k.startsWith("xlink:")) {
-        const ns = "http://www.w3.org/1999/xlink";
-        v == null ? el.removeAttributeNS(ns, k.slice(6)) : el.setAttributeNS(ns, k.slice(6), v);
+        const cleanVal = validateAttr(k.slice(6), v);
+        let lnk = "http://www.w3.org/1999/xlink";
+        cleanVal == null ? el.removeAttributeNS(lnk, k.slice(6)) : el.setAttributeNS(lnk, k.slice(6), cleanVal);
         continue;
       }
       if (k.startsWith("on")) {
diff --git a/package.json b/package.json
index bf2ad5f..6e3751a 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "sigpro",
-  "version": "1.2.20",
+  "version": "1.2.21",
   "type": "module",
   "license": "MIT",
   "main": "./dist/sigpro.esm.min.js",
@@ -28,10 +28,10 @@
   "homepage": "https://sigpro.natxocc.com/#/",
   "repository": {
     "type": "git",
-    "url": "https://git.natxocc.com/natxocc/sigpro"
+    "url": "https://github.com/natxocc/sigpro"
   },
   "bugs": {
-    "url": "https://git.natxocc.com/natxocc/sigpro/issues"
+    "url": "https://github.com/natxocc/sigpro/issues"
   },
   "scripts": {
     "clean": "rm -rf dist",
diff --git a/sigpro.js b/sigpro.js
index 8f73769..5f31cb3 100644
--- a/sigpro.js
+++ b/sigpro.js
@@ -230,8 +230,9 @@ const cleanupNode = (node) => {
   if (node.childNodes) node.childNodes.forEach(n => cleanupNode(n));
 };
 
-const DANGEROUS_PROTOCOL = /^\s*(javascript|data|vbscript):/i
-const isDangerousAttr = key => key === 'src' || key === 'href' || key.startsWith('on')
+var DANGEROUS_PROTOCOL = /^\s*(javascript|data|vbscript):/i;
+var DANGEROUS_URI_ATTRS = new Set(["src", "href", "formaction", "action", "background", "code", "archive"]);
+var isDangerousAttr = (key) => DANGEROUS_URI_ATTRS.has(key) || key.startsWith("on");
 
 const validateAttr = (key, val) => {
   if (val == null || val === false) return null
@@ -292,9 +293,12 @@ const h = (tag, props = {}, children = []) => {
       continue
     }
     if (isSVG && k.startsWith("xlink:")) {
-      const ns = "http://www.w3.org/1999/xlink"
-      v == null ? el.removeAttributeNS(ns, k.slice(6)) : el.setAttributeNS(ns, k.slice(6), v)
-      continue
+      const cleanVal = validateAttr(k.slice(6), v);
+      let lnk = "http://www.w3.org/1999/xlink"
+      cleanVal == null
+        ? el.removeAttributeNS(lnk, k.slice(6))
+        : el.setAttributeNS(lnk, k.slice(6), cleanVal);
+      continue;
     }
     if (k.startsWith("on")) {
       const ev = k.slice(2).toLowerCase()