# Keamanan / Security > docs/language/ → **Security** > ← [Auth](auth.md) · [Components](components.md) → --- > ⚠️ **MODEL KEAMANAN / SECURITY MODEL** > > PromptJS bersikap **default ramah, fail-closed**: penulis halaman menulis > markup tingkat tinggi, dan kompilator menyisipkan lapisan pertahanan secara > otomatis. Konstruksi yang berpotensi berbahaya (innerHTML tak-tepercaya, > atribut `on*`, URL `javascript:`) **diblokir secara diam-diam pada runtime**, > bukan diteruskan. Tidak ada *opt-in* yang diperlukan untuk perlindungan dasar. > > Namun **auth guard bersifat client-side/advisory** — ia memandu alur UX, BUKAN > menggantikan otorisasi server. Lihat [Auth](auth.md) dan bagian *Auth Guard* di > bawah. > > ⚠️ *PromptJS is **friendly-by-default, fail-closed**: dangerous constructs are > blocked at runtime, no opt-in needed. The auth guard, however, is > **client-side/advisory** — never a substitute for server-side authorization.* --- PromptJS memperlakukan setiap nilai yang berasal dari file `.pjs`, data front-matter, atau input pengguna sebagai **tak-tepercaya**. Semua jalur yang dapat menulis HTML atau atribut DOM dialirkan melalui titik tunggal yang men-sanitasi nilai sebelum menyentuh dokumen. Semua logika keamanan dikompilasi menjadi JavaScript vanila — tidak ada dependensi runtime eksternal. PromptJS treats every value originating from a `.pjs` file, front-matter data, or user input as **untrusted**. All paths that can write HTML or DOM attributes are funneled through single choke points that sanitize the value before it touches the document. All security logic compiles to vanilla JavaScript — no external runtime dependency. --- ## Ringkasan Lapisan / Layer Overview | Lapisan / Layer | Helper / Flag | Sumber Kode / Source | Sifat / Nature | |-----------------|---------------|----------------------|----------------| | Sanitasi HTML / HTML sanitization | `__sanitizeHTML` | `runtime.js:173–242` | Fail-closed, otomatis / automatic | | Atribut aman / Safe attributes | `__safeAttr` | `runtime.js:244–265` | Fail-closed, otomatis / automatic | | Auth guard peran / Role guard | `__pjs_verifyPeran` (seam) | `promptjs-compiler.js:136–156` | Client-side / advisory | | Peringatan keamanan / Security warnings | `PJS-W1001`, `PJS-W1002` | `runtime.js:250, 257` | Runtime, console | | Error keamanan / Security errors | `E5004`, `E5005` | `error-codes.js:124–125` | Compile-time, fail-closed | | Penahanan path / Path containment | `isInsideRoot`, `safeResolve` | `utils/path-guard.js` | Fail-closed, otomatis / automatic | | Content-Security-Policy | `--csp` / `config.csp` | `build.js:54`, `config.js:164–166`, `static.js:165–181` | Build-time, opt-in | --- ## Sanitasi HTML / HTML Sanitization `__sanitizeHTML` adalah titik tunggal yang dilewati **setiap** penetapan `innerHTML` yang dihasilkan kompilator (`statements.js:44`, `statements.js:641`, `expression.js:260`). Helper memakai **allowlist** tag & atribut: tag di luar daftar dihapus, atribut `on*` dan atribut pembawa-URL dengan skema `javascript:`/`data:`/`vbscript:` dibuang, dan komentar HTML dihapus. `__sanitizeHTML` is the single choke point through which **every** compiler-generated `innerHTML` assignment passes. It uses an **allowlist** of tags & attributes: non-listed tags are stripped, `on*` attributes and URL attributes with `javascript:`/`data:`/`vbscript:` schemes are removed, and HTML comments are dropped. ```pjs data jahat = "Hai" Halaman: Buat div#keluar atur isi ke jahat ``` Output dikompilasi menyalurkan nilai lewat helper (bukan penetapan langsung): The compiled output routes the value through the helper (never a raw assignment): ```js keluar.innerHTML = __sanitizeHTML(jahat); // Hasil DOM / Resulting DOM: Hai // →