@autumnsgrove/groveengine 0.4.6 → 0.4.8

package/dist/components/custom/ContentWithGutter.svelte

@@ -401,10 +401,10 @@
 	// Sanitize HTML content to prevent XSS attacks (browser-only for SSR compatibility)
 	let DOMPurify = $state(null);
 
-	// Load DOMPurify only in browser
+	// Load DOMPurify only in browser (avoids jsdom dependency for SSR)
 	onMount(async () => {
 		if (browser) {
-			const module = await import('isomorphic-dompurify');
+			const module = await import('dompurify');
 			DOMPurify = module.default;
 		}
 	});

package/dist/utils/sanitize.js

@@ -1,9 +1,23 @@
 /**
  * Centralized sanitization utilities for XSS prevention
- * Uses isomorphic-dompurify for both server-side and client-side sanitization
+ *
+ * Uses DOMPurify for client-side sanitization. On the server (SSR),
+ * content is passed through unsanitized since it will be sanitized
+ * when the page hydrates on the client.
+ *
+ * This approach avoids bundling jsdom (required by isomorphic-dompurify)
+ * which doesn't work in Cloudflare Workers.
  */
 
-import DOMPurify from "isomorphic-dompurify";
+import { browser } from "$app/environment";
+
+// Dynamically import DOMPurify only in browser
+let DOMPurify = null;
+if (browser) {
+  import("dompurify").then((module) => {
+    DOMPurify = module.default;
+  });
+}
 
 /**
  * Sanitize HTML content to prevent XSS attacks
@@ -15,6 +29,11 @@ export function sanitizeHTML(html) {
     return "";
   }
 
+  // On server, pass through - will be sanitized on client hydration
+  if (!browser || !DOMPurify) {
+    return html;
+  }
+
   const config = {
     FORBID_TAGS: [
       "script",
@@ -42,7 +61,7 @@ export function sanitizeHTML(html) {
       "onmouseleave",
       "style",
     ],
-    ALLOWED_URI_REGEXP: /^(?:(?:https?|mailto|tel):)/i,
+    ALLOWED_URI_REGEXP: /^(?:(?:https?|mailto|tel):|\/|#)/i,
     ALLOW_DATA_ATTR: false,
     KEEP_CONTENT: true,
     SAFE_FOR_TEMPLATES: true,
@@ -61,6 +80,11 @@ export function sanitizeSVG(svg) {
     return "";
   }
 
+  // On server, pass through - will be sanitized on client hydration
+  if (!browser || !DOMPurify) {
+    return svg;
+  }
+
   return DOMPurify.sanitize(svg, {
     USE_PROFILES: { svg: true, svgFilters: true },
     ALLOWED_TAGS: [
@@ -156,6 +180,11 @@ export function sanitizeMarkdown(markdownHTML) {
     return "";
   }
 
+  // On server, pass through - will be sanitized on client hydration
+  if (!browser || !DOMPurify) {
+    return markdownHTML;
+  }
+
   // For markdown, we allow a broader set of tags but still sanitize
   return DOMPurify.sanitize(markdownHTML, {
     ALLOWED_TAGS: [
@@ -245,7 +274,7 @@ export function sanitizeMarkdown(markdownHTML) {
       "onsubmit",
       "style",
     ],
-    ALLOWED_URI_REGEXP: /^(?:(?:https?|mailto|tel):)/i,
+    ALLOWED_URI_REGEXP: /^(?:(?:https?|mailto|tel):|\/|#)/i,
     ALLOW_DATA_ATTR: false,
     KEEP_CONTENT: true,
     SAFE_FOR_TEMPLATES: true,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@autumnsgrove/groveengine",
-  "version": "0.4.6",
+  "version": "0.4.8",
   "description": "Multi-tenant blog engine for Grove Platform. Features gutter annotations, markdown editing, magic code auth, and Cloudflare Workers deployment.",
   "author": "AutumnsGrove",
   "license": "MIT",
@@ -181,7 +181,7 @@
     "@types/dompurify": "^3.0.5",
     "chart.js": "^4.5.1",
     "clsx": "^2.1.1",
-    "isomorphic-dompurify": "^2.33.0",
+    "dompurify": "^3.3.0",
     "gray-matter": "^4.0.3",
     "lucide-svelte": "^0.554.0",
     "marked": "^17.0.1",