npm - @droppii-org/chat-sdk - Versions diffs - 0.1.0 → 0.1.1 - Mend

@droppii-org/chat-sdk 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/dist/utils/common.d.ts CHANGED Viewed

@@ -12,5 +12,18 @@ export declare const urlRegex: RegExp;
 export declare function extractLinks(text: string): string[];
 export declare function wrapLinksInHtml(htmlContent: string): string;
 export declare const getHostFromUrl: (url: string) => string | null;
+/**
+ * Sanitizes HTML content to prevent XSS attacks
+ * Uses DOMPurify to remove all potentially malicious code
+ *
+ * @param html - Raw HTML content that may contain malicious scripts
+ * @returns Sanitized HTML safe for rendering
+ *
+ * @example
+ * const userInput = '<img src=x onerror=alert("XSS")>';
+ * const safe = sanitizeHtml(userInput);
+ * // Returns: '<img src="x">' (onerror removed)
+ */
+export declare function sanitizeHtml(html: string): string;
 export {};
 //# sourceMappingURL=common.d.ts.map

package/dist/utils/common.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"common.d.ts","sourceRoot":"","sources":["../../src/utils/common.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;~~AAGtD~~,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAapD;AAED,eAAO,MAAM,iCAAiC,GAC5C,aAAa,WAAW,EACxB,YAAY,MAAM,WAkBnB,CAAC;AAEF,eAAO,MAAM,kBAAkB,GAC7B,WAAW,MAAM,EACjB,gBAAgB,MAAM,EACtB,IAAI,GAAG,uBA2CR,CAAC;AAEF,eAAO,MAAM,eAAe,GAC1B,MAAM,MAAM,EACZ,SAAS,MAAM,EACf,kBAAc,WA2Cf,CAAC;AAEF,UAAU,aAAa;IACrB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,wBAAgB,eAAe,CAC7B,SAAS,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE,aAAa,GACtB,MAAM,CAqBR;AAED,eAAO,MAAM,QAAQ,QAAkD,CAAC;AAExE,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAEnD;AAED,wBAAgB,eAAe,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAqC3D;AAED,eAAO,MAAM,cAAc,GAAI,KAAK,MAAM,KAAG,MAAM,GAAG,IAOrD,CAAC"}
1	+ {"version":3,"file":"common.d.ts","sourceRoot":"","sources":["../../src/utils/common.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAItD,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAapD;AAED,eAAO,MAAM,iCAAiC,GAC5C,aAAa,WAAW,EACxB,YAAY,MAAM,WAkBnB,CAAC;AAEF,eAAO,MAAM,kBAAkB,GAC7B,WAAW,MAAM,EACjB,gBAAgB,MAAM,EACtB,IAAI,GAAG,uBA2CR,CAAC;AAEF,eAAO,MAAM,eAAe,GAC1B,MAAM,MAAM,EACZ,SAAS,MAAM,EACf,kBAAc,WA2Cf,CAAC;AAEF,UAAU,aAAa;IACrB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,wBAAgB,eAAe,CAC7B,SAAS,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE,aAAa,GACtB,MAAM,CAqBR;AAED,eAAO,MAAM,QAAQ,QAAkD,CAAC;AAExE,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAEnD;AAED,wBAAgB,eAAe,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAqC3D;AAED,eAAO,MAAM,cAAc,GAAI,KAAK,MAAM,KAAG,MAAM,GAAG,IAOrD,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAwCjD"}

package/dist/utils/common.js CHANGED Viewed

@@ -1,5 +1,6 @@
 import { MessageType } from "@openim/wasm-client-sdk";
 import dayjs from "dayjs";
+import DOMPurify from "dompurify";
 export function renderFileSize(bytes) {
     if (!bytes || bytes <= 0)
         return "0 B";
@@ -165,3 +166,53 @@ export const getHostFromUrl = (url) => {
         return null;
     }
 };
+/**
+ * Sanitizes HTML content to prevent XSS attacks
+ * Uses DOMPurify to remove all potentially malicious code
+ *
+ * @param html - Raw HTML content that may contain malicious scripts
+ * @returns Sanitized HTML safe for rendering
+ *
+ * @example
+ * const userInput = '<img src=x onerror=alert("XSS")>';
+ * const safe = sanitizeHtml(userInput);
+ * // Returns: '<img src="x">' (onerror removed)
+ */
+export function sanitizeHtml(html) {
+    if (!html)
+        return "";
+    // Configure DOMPurify hooks
+    DOMPurify.addHook("afterSanitizeAttributes", (node) => {
+        // Ensure all links open in new tab with security attributes
+        if (node.tagName === "A") {
+            node.setAttribute("target", "_blank");
+            node.setAttribute("rel", "noopener noreferrer");
+        }
+    });
+    const sanitized = DOMPurify.sanitize(html, {
+        ALLOWED_TAGS: [
+            // Text formatting
+            "b", "i", "u", "strong", "em", "mark", "small", "del", "ins", "sub", "sup",
+            // Structure
+            "p", "br", "div", "span", "blockquote", "pre", "code",
+            // Lists
+            "ul", "ol", "li",
+            // Links
+            "a",
+            // Headers
+            "h1", "h2", "h3", "h4", "h5", "h6",
+        ],
+        ALLOWED_ATTR: [
+            "href",
+            "target",
+            "rel",
+            "class",
+            "style", // Allow style for basic formatting
+        ],
+        ALLOW_DATA_ATTR: false, // Prevent data-* attributes
+        ALLOWED_URI_REGEXP: /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i,
+    });
+    // Remove hooks after sanitization
+    DOMPurify.removeHook("afterSanitizeAttributes");
+    return sanitized;
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@droppii-org/chat-sdk",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Droppii React Chat SDK",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
@@ -82,6 +82,7 @@
     "axios": "^1.11.0",
     "clsx": "^2.0.0",
     "dayjs": "^1.11.13",
+    "dompurify": "^3.3.1",
     "i18next": "^25.5.2",
     "jwt-decode": "^4.0.0",
     "lexical": "^0.34.0",
@@ -105,6 +106,7 @@
     "react-dom": "^18.0.0"
   },
   "devDependencies": {
+    "@types/dompurify": "^3.2.0",
     "@types/lodash": "^4.17.20",
     "@types/node": "^20.0.0",
     "@types/react": "^18.2.37",