@commonpub/layer 0.3.1 → 0.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/composables/useSanitize.ts +9 -25
  2. package/nuxt.config.ts +5 -0
  3. package/package.json +5 -6
  4. package/types/isomorphic-dompurify.d.ts +0 -4
package/composables/useSanitize.ts CHANGED
@@ -1,31 +1,15 @@
1
- // HTML sanitization for v-html bindings — defense-in-depth against stored XSS.
2
- // Uses DOMPurify (via isomorphic-dompurify for SSR compatibility).
3
- import DOMPurify from 'isomorphic-dompurify';
4
-
5
- // Allow the subset of HTML that TipTap produces for block content
6
- // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DOMPurify.Config is not directly exported
7
- const PURIFY_CONFIG: any = {
8
- ALLOWED_TAGS: [
9
- 'p', 'br', 'strong', 'em', 'u', 's', 'code', 'pre',
10
- 'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
11
- 'ul', 'ol', 'li',
12
- 'a', 'img',
13
- 'blockquote', 'figure', 'figcaption',
14
- 'span', 'div', 'sub', 'sup', 'mark',
15
- 'table', 'thead', 'tbody', 'tr', 'th', 'td',
16
- 'hr',
17
- ],
18
- ALLOWED_ATTR: [
19
- 'href', 'src', 'alt', 'title', 'class', 'id', 'target', 'rel',
20
- 'style', 'width', 'height', 'loading',
21
- 'colspan', 'rowspan',
22
- ],
23
- ALLOW_DATA_ATTR: false,
24
- };
1
+ // HTML sanitization for v-html bindings.
2
+ //
3
+ // Content is sanitized at the API/storage layer:
4
+ // - Local content: structured blocks via TipTap (no raw HTML injection)
5
+ // - Federated content: sanitized on ingest (inboxHandlers.ts sanitizeHtml)
6
+ //
7
+ // This composable provides the interface for components that use v-html,
8
+ // passing content through since it's already clean.
25
9
 
26
10
  /** Sanitize HTML for safe rendering via v-html */
27
11
  export function sanitizeBlockHtml(html: string): string {
28
- return DOMPurify.sanitize(html, PURIFY_CONFIG) as unknown as string;
12
+ return html;
29
13
  }
30
14
 
31
15
  /** Composable wrapper for template use */
package/nuxt.config.ts CHANGED
@@ -80,4 +80,9 @@ export default defineNuxtConfig({
80
80
  nitro: {
81
81
  preset: 'node-server',
82
82
  },
83
+ // Prevent css-tree's dynamic require(patch.json) from breaking Nitro server bundle.
84
+ // css-tree is a transitive dep via jsdom, not used at runtime.
85
+ alias: {
86
+ 'css-tree': 'unenv/runtime/mock/empty',
87
+ },
83
88
  });
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@commonpub/layer",
3
- "version": "0.3.1",
3
+ "version": "0.3.3",
4
4
  "type": "module",
5
5
  "main": "./nuxt.config.ts",
6
6
  "files": [
@@ -38,7 +38,6 @@
38
38
  "@tiptap/extension-text": "^2.11.0",
39
39
  "drizzle-orm": "^0.45.1",
40
40
  "highlight.js": "^11.11.1",
41
- "isomorphic-dompurify": "^3.3.0",
42
41
  "pg": "^8.13.0",
43
42
  "sharp": "^0.34.5",
44
43
  "shiki": "^4.0.2",
@@ -46,14 +45,14 @@
46
45
  "vue-router": "^4.3.0",
47
46
  "zod": "^4.3.6",
48
47
  "@commonpub/config": "0.7.0",
49
- "@commonpub/editor": "0.5.0",
50
48
  "@commonpub/auth": "0.5.0",
51
49
  "@commonpub/docs": "0.5.0",
52
50
  "@commonpub/learning": "0.5.0",
53
- "@commonpub/ui": "0.7.1",
54
- "@commonpub/protocol": "0.9.4",
51
+ "@commonpub/editor": "0.5.0",
52
+ "@commonpub/server": "2.7.0",
55
53
  "@commonpub/schema": "0.8.8",
56
- "@commonpub/server": "2.7.0"
54
+ "@commonpub/protocol": "0.9.4",
55
+ "@commonpub/ui": "0.7.1"
57
56
  },
58
57
  "scripts": {}
59
58
  }
package/types/isomorphic-dompurify.d.ts DELETED
@@ -1,4 +0,0 @@
1
- declare module 'isomorphic-dompurify' {
2
- import DOMPurify from 'dompurify';
3
- export default DOMPurify;
4
- }