@commercetools-uikit/rich-text-utils 20.3.0 → 20.4.0

package/dist/commercetools-uikit-rich-text-utils.cjs.dev.js

@@ -26,6 +26,7 @@ var _Object$getOwnPropertyDescriptors = require('@babel/runtime-corejs3/core-js-
 var _Object$defineProperties = require('@babel/runtime-corejs3/core-js-stable/object/define-properties');
 var _Object$defineProperty = require('@babel/runtime-corejs3/core-js-stable/object/define-property');
 var escapeHtml = require('escape-html');
+var DOMPurify = require('dompurify');
 var slate = require('slate');
 var slateHyperscript = require('slate-hyperscript');
 var parse = require('style-to-object');
@@ -72,6 +73,7 @@ var _Object$getOwnPropertyDescriptors__default = /*#__PURE__*/_interopDefault(_O
 var _Object$defineProperties__default = /*#__PURE__*/_interopDefault(_Object$defineProperties);
 var _Object$defineProperty__default = /*#__PURE__*/_interopDefault(_Object$defineProperty);
 var escapeHtml__default = /*#__PURE__*/_interopDefault(escapeHtml);
+var DOMPurify__default = /*#__PURE__*/_interopDefault(DOMPurify);
 var parse__default = /*#__PURE__*/_interopDefault(parse);
 var isEmpty__default = /*#__PURE__*/_interopDefault(isEmpty$2);
 var _includesInstanceProperty__default = /*#__PURE__*/_interopDefault(_includesInstanceProperty);
@@ -449,10 +451,33 @@ function _objectSpread$f(e) { for (var r = 1; r < arguments.length; r++) { var _
 // more: https://docs.slatejs.org/concepts/12-typescript
 // example: https://github.com/ianstormtaylor/slate/blob/main/packages/slate-react/src/custom-types.ts
 
+/**
+ * Escapes HTML but preserves anchor tags with sanitized attributes.
+ * This allows <a> tags to remain as clickable links while preventing XSS from other tags.
+ * Uses DOMPurify for robust sanitization against XSS attacks.
+ */
+const escapeHtmlExceptAnchors = text => {
+  // Use DOMPurify to sanitize the text, allowing only anchor tags
+  // This is much more secure than regex-based parsing
+  const sanitized = DOMPurify__default["default"].sanitize(text, {
+    ALLOWED_TAGS: ['a'],
+    ALLOWED_ATTR: ['href', 'title', 'target', 'rel'],
+    // Block dangerous URL schemes
+    ALLOWED_URI_REGEXP: /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i,
+    // Prevent DOM clobbering
+    SANITIZE_DOM: true,
+    // Keep relative URLs
+    ALLOW_DATA_ATTR: false,
+    // Return a string, not a DOM node
+    RETURN_DOM: false,
+    RETURN_DOM_FRAGMENT: false
+  });
+  return sanitized;
+};
 const serializeNode = node => {
   var _context, _context5, _context6;
   if (slate.Text.isText(node)) {
-    let string = escapeHtml__default["default"](node.text);
+    let string = escapeHtmlExceptAnchors(node.text);
     if (node.bold) {
       string = "<strong>".concat(string, "</strong>");
     }
@@ -1462,109 +1487,151 @@ var Dropdown$1 = Dropdown;
 
 var messages = reactIntl.defineMessages({
   boldButtonLabel: {
-    id: 'UIKit.RichTextBody.boldButtonLabel',
-    description: 'Label for the bold button',
-    defaultMessage: 'Bold'
+    id: "UIKit.RichTextBody.boldButtonLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Bold"
+    }]
   },
   expandButtonLabel: {
-    id: 'UIKit.RichTextBody.expandButtonLabel',
-    description: 'Label for the expand button',
-    defaultMessage: 'Expand'
+    id: "UIKit.RichTextBody.expandButtonLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Expand"
+    }]
   },
   italicButtonLabel: {
-    id: 'UIKit.RichTextBody.italicButtonLabel',
-    description: 'Label for the italic button',
-    defaultMessage: 'Italic'
+    id: "UIKit.RichTextBody.italicButtonLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Italic"
+    }]
   },
   moreStylesDropdownLabel: {
-    id: 'UIKit.RichTextBody.moreStylesDropdownLabel',
-    description: 'Label for the more styles dropdown',
-    defaultMessage: 'More styles'
+    id: "UIKit.RichTextBody.moreStylesDropdownLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "More styles"
+    }]
   },
   moreStylesDropdownOptionStrikethrough: {
-    id: 'UIKit.RichTextBody.moreStylesDropdownOptionStrikethrough',
-    description: 'label for the more styles `strikethrough` option',
-    defaultMessage: 'Strikethrough'
+    id: "UIKit.RichTextBody.moreStylesDropdownOptionStrikethrough",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Strikethrough"
+    }]
   },
   moreStylesDropdownOptionSuperscript: {
-    id: 'UIKit.RichTextBody.moreStylesDropdownOptionSuperscript',
-    description: 'label for the more styles `superscript` option',
-    defaultMessage: 'Superscript'
+    id: "UIKit.RichTextBody.moreStylesDropdownOptionSuperscript",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Superscript"
+    }]
   },
   moreStylesDropdownOptionSubscript: {
-    id: 'UIKit.RichTextBody.moreStylesDropdownOptionSubscript',
-    description: 'label for the more styles `subscript` option',
-    defaultMessage: 'Subscript'
+    id: "UIKit.RichTextBody.moreStylesDropdownOptionSubscript",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Subscript"
+    }]
   },
   orderedListButtonLabel: {
-    id: 'UIKit.RichTextBody.orderedListButtonLabel',
-    description: 'Label for the numbered list button',
-    defaultMessage: 'Numbered list'
+    id: "UIKit.RichTextBody.orderedListButtonLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Numbered list"
+    }]
   },
   redoButtonLabel: {
-    id: 'UIKit.RichTextBody.redoButtonLabel',
-    description: 'Label for the redo button',
-    defaultMessage: 'Redo'
+    id: "UIKit.RichTextBody.redoButtonLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Redo"
+    }]
   },
   styleDropdownLabel: {
-    id: 'UIKit.RichTextBody.styleDropdownLabel',
-    description: 'Label for the style dropdown',
-    defaultMessage: 'Text styles'
+    id: "UIKit.RichTextBody.styleDropdownLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Text styles"
+    }]
   },
   styleDropdownOptionParagraph: {
-    id: 'UIKit.RichTextBody.styleDropdownOptionParagraph',
-    description: 'Label for the `paragraph` option',
-    defaultMessage: 'Paragraph'
+    id: "UIKit.RichTextBody.styleDropdownOptionParagraph",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Paragraph"
+    }]
   },
   styleDropdownOptionH1: {
-    id: 'UIKit.RichTextBody.styleDropdownOptionH1',
-    description: 'Label for the `headline-one` option',
-    defaultMessage: 'Headline H1'
+    id: "UIKit.RichTextBody.styleDropdownOptionH1",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Headline H1"
+    }]
   },
   styleDropdownOptionH2: {
-    id: 'UIKit.RichTextBody.styleDropdownOptionH2',
-    description: 'Label for the `headline-two` option',
-    defaultMessage: 'Headline H2'
+    id: "UIKit.RichTextBody.styleDropdownOptionH2",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Headline H2"
+    }]
   },
   styleDropdownOptionH3: {
-    id: 'UIKit.RichTextBody.styleDropdownOptionH3',
-    description: 'Label for the `headline-three` option',
-    defaultMessage: 'Headline H3'
+    id: "UIKit.RichTextBody.styleDropdownOptionH3",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Headline H3"
+    }]
   },
   styleDropdownOptionH4: {
-    id: 'UIKit.RichTextBody.styleDropdownOptionH4',
-    description: 'Label for the `headline-four` option',
-    defaultMessage: 'Headline H4'
+    id: "UIKit.RichTextBody.styleDropdownOptionH4",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Headline H4"
+    }]
   },
   styleDropdownOptionH5: {
-    id: 'UIKit.RichTextBody.styleDropdownOptionH5',
-    description: 'Label for the `headline-five` option',
-    defaultMessage: 'Headline H5'
+    id: "UIKit.RichTextBody.styleDropdownOptionH5",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Headline H5"
+    }]
   },
   styleDropdownOptionQuote: {
-    id: 'UIKit.RichTextBody.styleDropdownOptionQuote',
-    description: 'Label for the `quote` option',
-    defaultMessage: 'Quote'
+    id: "UIKit.RichTextBody.styleDropdownOptionQuote",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Quote"
+    }]
   },
   styleDropdownOptionPreformatted: {
-    id: 'UIKit.RichTextBody.styleDropdownOptionPreformatted',
-    description: 'Label for the `code` option',
-    defaultMessage: 'Preformatted'
+    id: "UIKit.RichTextBody.styleDropdownOptionPreformatted",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Preformatted"
+    }]
   },
   underlinedButtonLabel: {
-    id: 'UIKit.RichTextBody.underlinedButtonLabel',
-    description: 'Label for the underline button',
-    defaultMessage: 'Underline'
+    id: "UIKit.RichTextBody.underlinedButtonLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Underline"
+    }]
   },
   undoButtonLabel: {
-    id: 'UIKit.RichTextBody.undoButtonLabel',
-    description: 'Label for the undo button',
-    defaultMessage: 'Undo'
+    id: "UIKit.RichTextBody.undoButtonLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Undo"
+    }]
   },
   unorderedListButtonLabel: {
-    id: 'UIKit.RichTextBody.unorderedListButtonLabel',
-    description: 'Label for the bullet list button',
-    defaultMessage: 'Bullet list'
+    id: "UIKit.RichTextBody.unorderedListButtonLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Bullet list"
+    }]
   }
 });
 
@@ -1930,7 +1997,7 @@ RichTextEditorBody.displayName = 'RichTextEditorBody';
 var RichTextEditorBody$1 = RichTextEditorBody;
 
 // NOTE: This string will be replaced on build time with the package version.
-var version = "20.3.0";
+var version = "20.4.0";
 
 exports.Element = Element;
 exports.HiddenInput = HiddenInput$1;

package/dist/commercetools-uikit-rich-text-utils.cjs.prod.js

@@ -26,6 +26,7 @@ var _Object$getOwnPropertyDescriptors = require('@babel/runtime-corejs3/core-js-
 var _Object$defineProperties = require('@babel/runtime-corejs3/core-js-stable/object/define-properties');
 var _Object$defineProperty = require('@babel/runtime-corejs3/core-js-stable/object/define-property');
 var escapeHtml = require('escape-html');
+var DOMPurify = require('dompurify');
 var slate = require('slate');
 var slateHyperscript = require('slate-hyperscript');
 var parse = require('style-to-object');
@@ -72,6 +73,7 @@ var _Object$getOwnPropertyDescriptors__default = /*#__PURE__*/_interopDefault(_O
 var _Object$defineProperties__default = /*#__PURE__*/_interopDefault(_Object$defineProperties);
 var _Object$defineProperty__default = /*#__PURE__*/_interopDefault(_Object$defineProperty);
 var escapeHtml__default = /*#__PURE__*/_interopDefault(escapeHtml);
+var DOMPurify__default = /*#__PURE__*/_interopDefault(DOMPurify);
 var parse__default = /*#__PURE__*/_interopDefault(parse);
 var isEmpty__default = /*#__PURE__*/_interopDefault(isEmpty$2);
 var _includesInstanceProperty__default = /*#__PURE__*/_interopDefault(_includesInstanceProperty);
@@ -449,10 +451,33 @@ function _objectSpread$f(e) { for (var r = 1; r < arguments.length; r++) { var _
 // more: https://docs.slatejs.org/concepts/12-typescript
 // example: https://github.com/ianstormtaylor/slate/blob/main/packages/slate-react/src/custom-types.ts
 
+/**
+ * Escapes HTML but preserves anchor tags with sanitized attributes.
+ * This allows <a> tags to remain as clickable links while preventing XSS from other tags.
+ * Uses DOMPurify for robust sanitization against XSS attacks.
+ */
+const escapeHtmlExceptAnchors = text => {
+  // Use DOMPurify to sanitize the text, allowing only anchor tags
+  // This is much more secure than regex-based parsing
+  const sanitized = DOMPurify__default["default"].sanitize(text, {
+    ALLOWED_TAGS: ['a'],
+    ALLOWED_ATTR: ['href', 'title', 'target', 'rel'],
+    // Block dangerous URL schemes
+    ALLOWED_URI_REGEXP: /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i,
+    // Prevent DOM clobbering
+    SANITIZE_DOM: true,
+    // Keep relative URLs
+    ALLOW_DATA_ATTR: false,
+    // Return a string, not a DOM node
+    RETURN_DOM: false,
+    RETURN_DOM_FRAGMENT: false
+  });
+  return sanitized;
+};
 const serializeNode = node => {
   var _context, _context5, _context6;
   if (slate.Text.isText(node)) {
-    let string = escapeHtml__default["default"](node.text);
+    let string = escapeHtmlExceptAnchors(node.text);
     if (node.bold) {
       string = "<strong>".concat(string, "</strong>");
     }
@@ -1417,109 +1442,151 @@ var Dropdown$1 = Dropdown;
 
 var messages = reactIntl.defineMessages({
   boldButtonLabel: {
-    id: 'UIKit.RichTextBody.boldButtonLabel',
-    description: 'Label for the bold button',
-    defaultMessage: 'Bold'
+    id: "UIKit.RichTextBody.boldButtonLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Bold"
+    }]
   },
   expandButtonLabel: {
-    id: 'UIKit.RichTextBody.expandButtonLabel',
-    description: 'Label for the expand button',
-    defaultMessage: 'Expand'
+    id: "UIKit.RichTextBody.expandButtonLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Expand"
+    }]
   },
   italicButtonLabel: {
-    id: 'UIKit.RichTextBody.italicButtonLabel',
-    description: 'Label for the italic button',
-    defaultMessage: 'Italic'
+    id: "UIKit.RichTextBody.italicButtonLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Italic"
+    }]
   },
   moreStylesDropdownLabel: {
-    id: 'UIKit.RichTextBody.moreStylesDropdownLabel',
-    description: 'Label for the more styles dropdown',
-    defaultMessage: 'More styles'
+    id: "UIKit.RichTextBody.moreStylesDropdownLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "More styles"
+    }]
   },
   moreStylesDropdownOptionStrikethrough: {
-    id: 'UIKit.RichTextBody.moreStylesDropdownOptionStrikethrough',
-    description: 'label for the more styles `strikethrough` option',
-    defaultMessage: 'Strikethrough'
+    id: "UIKit.RichTextBody.moreStylesDropdownOptionStrikethrough",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Strikethrough"
+    }]
   },
   moreStylesDropdownOptionSuperscript: {
-    id: 'UIKit.RichTextBody.moreStylesDropdownOptionSuperscript',
-    description: 'label for the more styles `superscript` option',
-    defaultMessage: 'Superscript'
+    id: "UIKit.RichTextBody.moreStylesDropdownOptionSuperscript",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Superscript"
+    }]
   },
   moreStylesDropdownOptionSubscript: {
-    id: 'UIKit.RichTextBody.moreStylesDropdownOptionSubscript',
-    description: 'label for the more styles `subscript` option',
-    defaultMessage: 'Subscript'
+    id: "UIKit.RichTextBody.moreStylesDropdownOptionSubscript",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Subscript"
+    }]
   },
   orderedListButtonLabel: {
-    id: 'UIKit.RichTextBody.orderedListButtonLabel',
-    description: 'Label for the numbered list button',
-    defaultMessage: 'Numbered list'
+    id: "UIKit.RichTextBody.orderedListButtonLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Numbered list"
+    }]
   },
   redoButtonLabel: {
-    id: 'UIKit.RichTextBody.redoButtonLabel',
-    description: 'Label for the redo button',
-    defaultMessage: 'Redo'
+    id: "UIKit.RichTextBody.redoButtonLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Redo"
+    }]
   },
   styleDropdownLabel: {
-    id: 'UIKit.RichTextBody.styleDropdownLabel',
-    description: 'Label for the style dropdown',
-    defaultMessage: 'Text styles'
+    id: "UIKit.RichTextBody.styleDropdownLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Text styles"
+    }]
   },
   styleDropdownOptionParagraph: {
-    id: 'UIKit.RichTextBody.styleDropdownOptionParagraph',
-    description: 'Label for the `paragraph` option',
-    defaultMessage: 'Paragraph'
+    id: "UIKit.RichTextBody.styleDropdownOptionParagraph",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Paragraph"
+    }]
   },
   styleDropdownOptionH1: {
-    id: 'UIKit.RichTextBody.styleDropdownOptionH1',
-    description: 'Label for the `headline-one` option',
-    defaultMessage: 'Headline H1'
+    id: "UIKit.RichTextBody.styleDropdownOptionH1",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Headline H1"
+    }]
   },
   styleDropdownOptionH2: {
-    id: 'UIKit.RichTextBody.styleDropdownOptionH2',
-    description: 'Label for the `headline-two` option',
-    defaultMessage: 'Headline H2'
+    id: "UIKit.RichTextBody.styleDropdownOptionH2",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Headline H2"
+    }]
   },
   styleDropdownOptionH3: {
-    id: 'UIKit.RichTextBody.styleDropdownOptionH3',
-    description: 'Label for the `headline-three` option',
-    defaultMessage: 'Headline H3'
+    id: "UIKit.RichTextBody.styleDropdownOptionH3",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Headline H3"
+    }]
   },
   styleDropdownOptionH4: {
-    id: 'UIKit.RichTextBody.styleDropdownOptionH4',
-    description: 'Label for the `headline-four` option',
-    defaultMessage: 'Headline H4'
+    id: "UIKit.RichTextBody.styleDropdownOptionH4",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Headline H4"
+    }]
   },
   styleDropdownOptionH5: {
-    id: 'UIKit.RichTextBody.styleDropdownOptionH5',
-    description: 'Label for the `headline-five` option',
-    defaultMessage: 'Headline H5'
+    id: "UIKit.RichTextBody.styleDropdownOptionH5",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Headline H5"
+    }]
   },
   styleDropdownOptionQuote: {
-    id: 'UIKit.RichTextBody.styleDropdownOptionQuote',
-    description: 'Label for the `quote` option',
-    defaultMessage: 'Quote'
+    id: "UIKit.RichTextBody.styleDropdownOptionQuote",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Quote"
+    }]
   },
   styleDropdownOptionPreformatted: {
-    id: 'UIKit.RichTextBody.styleDropdownOptionPreformatted',
-    description: 'Label for the `code` option',
-    defaultMessage: 'Preformatted'
+    id: "UIKit.RichTextBody.styleDropdownOptionPreformatted",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Preformatted"
+    }]
   },
   underlinedButtonLabel: {
-    id: 'UIKit.RichTextBody.underlinedButtonLabel',
-    description: 'Label for the underline button',
-    defaultMessage: 'Underline'
+    id: "UIKit.RichTextBody.underlinedButtonLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Underline"
+    }]
   },
   undoButtonLabel: {
-    id: 'UIKit.RichTextBody.undoButtonLabel',
-    description: 'Label for the undo button',
-    defaultMessage: 'Undo'
+    id: "UIKit.RichTextBody.undoButtonLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Undo"
+    }]
   },
   unorderedListButtonLabel: {
-    id: 'UIKit.RichTextBody.unorderedListButtonLabel',
-    description: 'Label for the bullet list button',
-    defaultMessage: 'Bullet list'
+    id: "UIKit.RichTextBody.unorderedListButtonLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Bullet list"
+    }]
   }
 });
 
@@ -1871,7 +1938,7 @@ RichTextEditorBody.displayName = 'RichTextEditorBody';
 var RichTextEditorBody$1 = RichTextEditorBody;
 
 // NOTE: This string will be replaced on build time with the package version.
-var version = "20.3.0";
+var version = "20.4.0";
 
 exports.Element = Element;
 exports.HiddenInput = HiddenInput$1;

package/dist/commercetools-uikit-rich-text-utils.esm.js

@@ -22,6 +22,7 @@ import _Object$getOwnPropertyDescriptors from '@babel/runtime-corejs3/core-js-st
 import _Object$defineProperties from '@babel/runtime-corejs3/core-js-stable/object/define-properties';
 import _Object$defineProperty from '@babel/runtime-corejs3/core-js-stable/object/define-property';
 import escapeHtml from 'escape-html';
+import DOMPurify from 'dompurify';
 import { Editor, Element as Element$1, Transforms, Text, Range } from 'slate';
 import { jsx as jsx$1 } from 'slate-hyperscript';
 import parse from 'style-to-object';
@@ -410,10 +411,33 @@ function _objectSpread$f(e) { for (var r = 1; r < arguments.length; r++) { var _
 // more: https://docs.slatejs.org/concepts/12-typescript
 // example: https://github.com/ianstormtaylor/slate/blob/main/packages/slate-react/src/custom-types.ts
 
+/**
+ * Escapes HTML but preserves anchor tags with sanitized attributes.
+ * This allows <a> tags to remain as clickable links while preventing XSS from other tags.
+ * Uses DOMPurify for robust sanitization against XSS attacks.
+ */
+const escapeHtmlExceptAnchors = text => {
+  // Use DOMPurify to sanitize the text, allowing only anchor tags
+  // This is much more secure than regex-based parsing
+  const sanitized = DOMPurify.sanitize(text, {
+    ALLOWED_TAGS: ['a'],
+    ALLOWED_ATTR: ['href', 'title', 'target', 'rel'],
+    // Block dangerous URL schemes
+    ALLOWED_URI_REGEXP: /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i,
+    // Prevent DOM clobbering
+    SANITIZE_DOM: true,
+    // Keep relative URLs
+    ALLOW_DATA_ATTR: false,
+    // Return a string, not a DOM node
+    RETURN_DOM: false,
+    RETURN_DOM_FRAGMENT: false
+  });
+  return sanitized;
+};
 const serializeNode = node => {
   var _context, _context5, _context6;
   if (Text.isText(node)) {
-    let string = escapeHtml(node.text);
+    let string = escapeHtmlExceptAnchors(node.text);
     if (node.bold) {
       string = "<strong>".concat(string, "</strong>");
     }
@@ -1423,109 +1447,151 @@ var Dropdown$1 = Dropdown;
 
 var messages = defineMessages({
   boldButtonLabel: {
-    id: 'UIKit.RichTextBody.boldButtonLabel',
-    description: 'Label for the bold button',
-    defaultMessage: 'Bold'
+    id: "UIKit.RichTextBody.boldButtonLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Bold"
+    }]
   },
   expandButtonLabel: {
-    id: 'UIKit.RichTextBody.expandButtonLabel',
-    description: 'Label for the expand button',
-    defaultMessage: 'Expand'
+    id: "UIKit.RichTextBody.expandButtonLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Expand"
+    }]
   },
   italicButtonLabel: {
-    id: 'UIKit.RichTextBody.italicButtonLabel',
-    description: 'Label for the italic button',
-    defaultMessage: 'Italic'
+    id: "UIKit.RichTextBody.italicButtonLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Italic"
+    }]
   },
   moreStylesDropdownLabel: {
-    id: 'UIKit.RichTextBody.moreStylesDropdownLabel',
-    description: 'Label for the more styles dropdown',
-    defaultMessage: 'More styles'
+    id: "UIKit.RichTextBody.moreStylesDropdownLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "More styles"
+    }]
   },
   moreStylesDropdownOptionStrikethrough: {
-    id: 'UIKit.RichTextBody.moreStylesDropdownOptionStrikethrough',
-    description: 'label for the more styles `strikethrough` option',
-    defaultMessage: 'Strikethrough'
+    id: "UIKit.RichTextBody.moreStylesDropdownOptionStrikethrough",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Strikethrough"
+    }]
   },
   moreStylesDropdownOptionSuperscript: {
-    id: 'UIKit.RichTextBody.moreStylesDropdownOptionSuperscript',
-    description: 'label for the more styles `superscript` option',
-    defaultMessage: 'Superscript'
+    id: "UIKit.RichTextBody.moreStylesDropdownOptionSuperscript",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Superscript"
+    }]
   },
   moreStylesDropdownOptionSubscript: {
-    id: 'UIKit.RichTextBody.moreStylesDropdownOptionSubscript',
-    description: 'label for the more styles `subscript` option',
-    defaultMessage: 'Subscript'
+    id: "UIKit.RichTextBody.moreStylesDropdownOptionSubscript",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Subscript"
+    }]
   },
   orderedListButtonLabel: {
-    id: 'UIKit.RichTextBody.orderedListButtonLabel',
-    description: 'Label for the numbered list button',
-    defaultMessage: 'Numbered list'
+    id: "UIKit.RichTextBody.orderedListButtonLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Numbered list"
+    }]
   },
   redoButtonLabel: {
-    id: 'UIKit.RichTextBody.redoButtonLabel',
-    description: 'Label for the redo button',
-    defaultMessage: 'Redo'
+    id: "UIKit.RichTextBody.redoButtonLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Redo"
+    }]
   },
   styleDropdownLabel: {
-    id: 'UIKit.RichTextBody.styleDropdownLabel',
-    description: 'Label for the style dropdown',
-    defaultMessage: 'Text styles'
+    id: "UIKit.RichTextBody.styleDropdownLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Text styles"
+    }]
   },
   styleDropdownOptionParagraph: {
-    id: 'UIKit.RichTextBody.styleDropdownOptionParagraph',
-    description: 'Label for the `paragraph` option',
-    defaultMessage: 'Paragraph'
+    id: "UIKit.RichTextBody.styleDropdownOptionParagraph",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Paragraph"
+    }]
   },
   styleDropdownOptionH1: {
-    id: 'UIKit.RichTextBody.styleDropdownOptionH1',
-    description: 'Label for the `headline-one` option',
-    defaultMessage: 'Headline H1'
+    id: "UIKit.RichTextBody.styleDropdownOptionH1",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Headline H1"
+    }]
   },
   styleDropdownOptionH2: {
-    id: 'UIKit.RichTextBody.styleDropdownOptionH2',
-    description: 'Label for the `headline-two` option',
-    defaultMessage: 'Headline H2'
+    id: "UIKit.RichTextBody.styleDropdownOptionH2",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Headline H2"
+    }]
   },
   styleDropdownOptionH3: {
-    id: 'UIKit.RichTextBody.styleDropdownOptionH3',
-    description: 'Label for the `headline-three` option',
-    defaultMessage: 'Headline H3'
+    id: "UIKit.RichTextBody.styleDropdownOptionH3",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Headline H3"
+    }]
   },
   styleDropdownOptionH4: {
-    id: 'UIKit.RichTextBody.styleDropdownOptionH4',
-    description: 'Label for the `headline-four` option',
-    defaultMessage: 'Headline H4'
+    id: "UIKit.RichTextBody.styleDropdownOptionH4",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Headline H4"
+    }]
   },
   styleDropdownOptionH5: {
-    id: 'UIKit.RichTextBody.styleDropdownOptionH5',
-    description: 'Label for the `headline-five` option',
-    defaultMessage: 'Headline H5'
+    id: "UIKit.RichTextBody.styleDropdownOptionH5",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Headline H5"
+    }]
   },
   styleDropdownOptionQuote: {
-    id: 'UIKit.RichTextBody.styleDropdownOptionQuote',
-    description: 'Label for the `quote` option',
-    defaultMessage: 'Quote'
+    id: "UIKit.RichTextBody.styleDropdownOptionQuote",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Quote"
+    }]
   },
   styleDropdownOptionPreformatted: {
-    id: 'UIKit.RichTextBody.styleDropdownOptionPreformatted',
-    description: 'Label for the `code` option',
-    defaultMessage: 'Preformatted'
+    id: "UIKit.RichTextBody.styleDropdownOptionPreformatted",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Preformatted"
+    }]
   },
   underlinedButtonLabel: {
-    id: 'UIKit.RichTextBody.underlinedButtonLabel',
-    description: 'Label for the underline button',
-    defaultMessage: 'Underline'
+    id: "UIKit.RichTextBody.underlinedButtonLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Underline"
+    }]
   },
   undoButtonLabel: {
-    id: 'UIKit.RichTextBody.undoButtonLabel',
-    description: 'Label for the undo button',
-    defaultMessage: 'Undo'
+    id: "UIKit.RichTextBody.undoButtonLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Undo"
+    }]
   },
   unorderedListButtonLabel: {
-    id: 'UIKit.RichTextBody.unorderedListButtonLabel',
-    description: 'Label for the bullet list button',
-    defaultMessage: 'Bullet list'
+    id: "UIKit.RichTextBody.unorderedListButtonLabel",
+    defaultMessage: [{
+      "type": 0,
+      "value": "Bullet list"
+    }]
   }
 });
 
@@ -1891,6 +1957,6 @@ RichTextEditorBody.displayName = 'RichTextEditorBody';
 var RichTextEditorBody$1 = RichTextEditorBody;
 
 // NOTE: This string will be replaced on build time with the package version.
-var version = "20.3.0";
+var version = "20.4.0";
 
 export { Element, HiddenInput$1 as HiddenInput, Leaf, RichTextEditorBody$1 as RichTextBody, Softbreaker, focusEditor, html$1 as html, isBlockActive, isRichTextEmpty as isEmpty, isMarkActive, index as localized, resetEditor, toggleBlock, toggleMark, validSlateStateAdapter, version, withLinks };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@commercetools-uikit/rich-text-utils",
   "description": "Utilities for working with rich-text components.",
-  "version": "20.3.0",
+  "version": "20.4.0",
   "bugs": "https://github.com/commercetools/ui-kit/issues",
   "repository": {
     "type": "git",
@@ -24,20 +24,22 @@
   "dependencies": {
     "@babel/runtime": "^7.20.13",
     "@babel/runtime-corejs3": "^7.20.13",
-    "@commercetools-uikit/design-system": "20.3.0",
-    "@commercetools-uikit/icons": "20.3.0",
-    "@commercetools-uikit/input-utils": "20.3.0",
-    "@commercetools-uikit/spacings-inline": "20.3.0",
-    "@commercetools-uikit/tooltip": "20.3.0",
-    "@commercetools-uikit/utils": "20.3.0",
+    "@commercetools-uikit/design-system": "20.4.0",
+    "@commercetools-uikit/icons": "20.4.0",
+    "@commercetools-uikit/input-utils": "20.4.0",
+    "@commercetools-uikit/spacings-inline": "20.4.0",
+    "@commercetools-uikit/tooltip": "20.4.0",
+    "@commercetools-uikit/utils": "20.4.0",
     "@emotion/react": "^11.10.5",
     "@emotion/styled": "^11.10.5",
+    "@types/dompurify": "^2.4.0",
     "@types/escape-html": "1.0.4",
+    "dompurify": "3.2.7",
     "downshift": "9.0.10",
     "escape-html": "1.0.3",
     "is-hotkey": "0.2.0",
     "is-url": "^1.2.4",
-    "lodash": "4.17.21",
+    "lodash": "4.17.23",
     "slate": "0.75.0",
     "slate-history": "0.113.1",
     "slate-hyperscript": "0.100.0",