# Keamanan / Security
> docs/language/ → **Security**
> ← [Auth](auth.md) · [Components](components.md) →
---
> ⚠️ **MODEL KEAMANAN / SECURITY MODEL**
>
> PromptJS bersikap **default ramah, fail-closed**: penulis halaman menulis
> markup tingkat tinggi, dan kompilator menyisipkan lapisan pertahanan secara
> otomatis. Konstruksi yang berpotensi berbahaya (innerHTML tak-tepercaya,
> atribut `on*`, URL `javascript:`) **diblokir secara diam-diam pada runtime**,
> bukan diteruskan. Tidak ada *opt-in* yang diperlukan untuk perlindungan dasar.
>
> Namun **auth guard bersifat client-side/advisory** — ia memandu alur UX, BUKAN
> menggantikan otorisasi server. Lihat [Auth](auth.md) dan bagian *Auth Guard* di
> bawah.
>
> ⚠️ *PromptJS is **friendly-by-default, fail-closed**: dangerous constructs are
> blocked at runtime, no opt-in needed. The auth guard, however, is
> **client-side/advisory** — never a substitute for server-side authorization.*
---
PromptJS memperlakukan setiap nilai yang berasal dari file `.pjs`, data
front-matter, atau input pengguna sebagai **tak-tepercaya**. Semua jalur yang
dapat menulis HTML atau atribut DOM dialirkan melalui titik tunggal yang
men-sanitasi nilai sebelum menyentuh dokumen. Semua logika keamanan dikompilasi
menjadi JavaScript vanila — tidak ada dependensi runtime eksternal.
PromptJS treats every value originating from a `.pjs` file, front-matter data,
or user input as **untrusted**. All paths that can write HTML or DOM attributes
are funneled through single choke points that sanitize the value before it
touches the document. All security logic compiles to vanilla JavaScript — no
external runtime dependency.
---
## Ringkasan Lapisan / Layer Overview
| Lapisan / Layer | Helper / Flag | Sumber Kode / Source | Sifat / Nature |
|-----------------|---------------|----------------------|----------------|
| Sanitasi HTML / HTML sanitization | `__sanitizeHTML` | `runtime.js:173–242` | Fail-closed, otomatis / automatic |
| Atribut aman / Safe attributes | `__safeAttr` | `runtime.js:244–265` | Fail-closed, otomatis / automatic |
| Auth guard peran / Role guard | `__pjs_verifyPeran` (seam) | `promptjs-compiler.js:136–156` | Client-side / advisory |
| Peringatan keamanan / Security warnings | `PJS-W1001`, `PJS-W1002` | `runtime.js:250, 257` | Runtime, console |
| Error keamanan / Security errors | `E5004`, `E5005` | `error-codes.js:124–125` | Compile-time, fail-closed |
| Penahanan path / Path containment | `isInsideRoot`, `safeResolve` | `utils/path-guard.js` | Fail-closed, otomatis / automatic |
| Content-Security-Policy | `--csp` / `config.csp` | `build.js:54`, `config.js:164–166`, `static.js:165–181` | Build-time, opt-in |
---
## Sanitasi HTML / HTML Sanitization
`__sanitizeHTML` adalah titik tunggal yang dilewati **setiap** penetapan
`innerHTML` yang dihasilkan kompilator (`statements.js:44`, `statements.js:641`,
`expression.js:260`). Helper memakai **allowlist** tag & atribut: tag di luar
daftar dihapus, atribut `on*` dan atribut pembawa-URL dengan skema
`javascript:`/`data:`/`vbscript:` dibuang, dan komentar HTML dihapus.
`__sanitizeHTML` is the single choke point through which **every**
compiler-generated `innerHTML` assignment passes. It uses an **allowlist** of
tags & attributes: non-listed tags are stripped, `on*` attributes and URL
attributes with `javascript:`/`data:`/`vbscript:` schemes are removed, and HTML
comments are dropped.
```pjs
data jahat = "
Hai"
Halaman:
Buat div#keluar
atur isi ke jahat
```
Output dikompilasi menyalurkan nilai lewat helper (bukan penetapan langsung):
The compiled output routes the value through the helper (never a raw
assignment):
```js
keluar.innerHTML = __sanitizeHTML(jahat);
// Hasil DOM / Resulting DOM:
Hai
// →