npm - @echozedlabs/react - Versions diffs - 0.1.0 → 0.2.0 - Mend

@echozedlabs/react 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/dist/HostServiceToolbar.d.ts +8 -0
package/dist/HostServiceToolbar.d.ts.map +1 -0
package/dist/HostServiceToolbar.js +83 -0
package/dist/HostServiceToolbar.js.map +1 -0
package/dist/MarkdownEditor.d.ts.map +1 -1
package/dist/MarkdownEditor.js +59 -147
package/dist/MarkdownEditor.js.map +1 -1
package/dist/PreviewSurface.d.ts +8 -0
package/dist/PreviewSurface.d.ts.map +1 -0
package/dist/PreviewSurface.js +67 -0
package/dist/PreviewSurface.js.map +1 -0
package/dist/icons.d.ts +8 -0
package/dist/icons.d.ts.map +1 -0
package/dist/icons.js +8 -0
package/dist/icons.js.map +1 -0
package/dist/sanitizeHtml.d.ts +19 -3
package/dist/sanitizeHtml.d.ts.map +1 -1
package/dist/sanitizeHtml.js +19 -9
package/dist/sanitizeHtml.js.map +1 -1
package/package.json +5 -5
package/src/styles.css +1700 -1395

package/dist/icons.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"icons.js","sourceRoot":"","sources":["../src/icons.tsx"],"names":[],"mappings":";AAEA,4EAA4E;AAC5E,MAAM,UAAU,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAuC;IAC7E,OAAO,CACL,cAAK,SAAS,EAAC,gBAAgB,eAAY,QAAQ,EAAE,OAAO,EAAC,aAAa,EAAC,SAAS,EAAC,OAAO,iBAAa,MAAM,YAC7G,eAAM,IAAI,EAAC,cAAc,EAAC,CAAC,EAAE,IAAI,GAAI,GACjC,CACP,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,cAAc,GAAG,skBAAskB,CAAC;AACrmB,MAAM,CAAC,MAAM,iBAAiB,GAAG,ouBAAouB,CAAC"}

package/dist/sanitizeHtml.d.ts CHANGED Viewed

@@ -1,7 +1,23 @@
 /**
- * Sanitize preview HTML (concatenated registry-renderer output, which may
- * include host/diagram HTML) before it is injected via
- * dangerouslySetInnerHTML. Fails closed in a non-DOM environment.
+ * Sanitize renderer output HTML before it is injected (preview surface and the
+ * hybrid rendered-block widget). Fails closed in a non-DOM environment.
+ *
+ * Trust policy: this is a **trusted renderer-output** sanitizer, not a general
+ * untrusted-HTML policy. It runs DOMPurify's default config (which allows HTML +
+ * SVG + MathML and strips `<script>`, `on*` event handlers, and `javascript:`
+ * URLs) and additionally allows two tags that diagram renderers (Mermaid) require:
+ *
+ * - `<foreignObject>` — Mermaid renders flowchart node labels as HTML inside it;
+ *   `USE_PROFILES` would drop that HTML and the diagram text would vanish.
+ * - `<style>` — Mermaid emits a `<style>` block scoped inside the diagram `<svg>`.
+ *   DOMPurify's body-context parsing drops a *stray top-level* `<style>` blob, so
+ *   only renderer SVG-scoped CSS survives — the CSS-injection surface is limited to
+ *   trusted diagram output, not arbitrary document content.
+ *
+ * Renderers are nonetheless trusted to carry SVG-scoped CSS. Hosts that render
+ * genuinely untrusted Markdown source should keep renderer output trusted (or add
+ * a stricter profile). The regression test in `react/test/sanitize.test.ts` pins
+ * both behaviors (top-level dropped, SVG-scoped kept).
  */
 export declare function sanitizePreviewHtml(html: string): string;
 //# sourceMappingURL=sanitizeHtml.d.ts.map

package/dist/sanitizeHtml.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"sanitizeHtml.d.ts","sourceRoot":"","sources":["../src/sanitizeHtml.ts"],"names":[],"mappings":"AAEA~~;;;;GAIG~~;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,~~CAaxD~~"}
1	+ {"version":3,"file":"sanitizeHtml.d.ts","sourceRoot":"","sources":["../src/sanitizeHtml.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAOxD"}

package/dist/sanitizeHtml.js CHANGED Viewed

@@ -1,19 +1,29 @@
 import DOMPurify from 'dompurify';
 /**
- * Sanitize preview HTML (concatenated registry-renderer output, which may
- * include host/diagram HTML) before it is injected via
- * dangerouslySetInnerHTML. Fails closed in a non-DOM environment.
+ * Sanitize renderer output HTML before it is injected (preview surface and the
+ * hybrid rendered-block widget). Fails closed in a non-DOM environment.
+ *
+ * Trust policy: this is a **trusted renderer-output** sanitizer, not a general
+ * untrusted-HTML policy. It runs DOMPurify's default config (which allows HTML +
+ * SVG + MathML and strips `<script>`, `on*` event handlers, and `javascript:`
+ * URLs) and additionally allows two tags that diagram renderers (Mermaid) require:
+ *
+ * - `<foreignObject>` — Mermaid renders flowchart node labels as HTML inside it;
+ *   `USE_PROFILES` would drop that HTML and the diagram text would vanish.
+ * - `<style>` — Mermaid emits a `<style>` block scoped inside the diagram `<svg>`.
+ *   DOMPurify's body-context parsing drops a *stray top-level* `<style>` blob, so
+ *   only renderer SVG-scoped CSS survives — the CSS-injection surface is limited to
+ *   trusted diagram output, not arbitrary document content.
+ *
+ * Renderers are nonetheless trusted to carry SVG-scoped CSS. Hosts that render
+ * genuinely untrusted Markdown source should keep renderer output trusted (or add
+ * a stricter profile). The regression test in `react/test/sanitize.test.ts` pins
+ * both behaviors (top-level dropped, SVG-scoped kept).
  */
 export function sanitizePreviewHtml(html) {
     if (typeof DOMPurify.sanitize !== 'function') {
         return '';
     }
-    // Use DOMPurify's default config (which already allows HTML + SVG + MathML and
-    // strips scripts/event handlers) rather than USE_PROFILES. USE_PROFILES
-    // restricts namespaces and DROPS the HTML inside SVG <foreignObject>, which is
-    // how Mermaid renders flowchart node labels — that made diagram text vanish in
-    // the preview. The default config keeps foreignObject's HTML labels while still
-    // removing <script>/on*-handlers/javascript: URLs.
     return DOMPurify.sanitize(html, {
         ADD_TAGS: ['foreignObject', 'style'],
     });

package/dist/sanitizeHtml.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"sanitizeHtml.js","sourceRoot":"","sources":["../src/sanitizeHtml.ts"],"names":[],"mappings":"AAAA,OAAO,SAAS,MAAM,WAAW,CAAC;AAElC~~;;;;GAIG~~;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAY;IAC9C,IAAI,OAAQ,SAAoC,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;QACzE,OAAO,EAAE,CAAC;IACZ,CAAC;IACD~~,+EAA+E;IAC/E~~,~~wEAAwE;IACxE,+EAA+E;IAC/E,+EAA+E;IAC/E,gFAAgF;IAChF,mDAAmD;IACnD,~~OAAO,SAAS,CAAC,QAAQ,CAAC,IAAI,EAAE;QAC9B,QAAQ,EAAE,CAAC,eAAe,EAAE,OAAO,CAAC;KACrC,CAAC,CAAC;AACL,CAAC"}
1	+ {"version":3,"file":"sanitizeHtml.js","sourceRoot":"","sources":["../src/sanitizeHtml.ts"],"names":[],"mappings":"AAAA,OAAO,SAAS,MAAM,WAAW,CAAC;AAElC;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAY;IAC9C,IAAI,OAAQ,SAAoC,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;QACzE,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,SAAS,CAAC,QAAQ,CAAC,IAAI,EAAE;QAC9B,QAAQ,EAAE,CAAC,eAAe,EAAE,OAAO,CAAC;KACrC,CAAC,CAAC;AACL,CAAC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@echozedlabs/react",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "React markdown editor with Markdown, Hybrid, Preview, and Rich Text (WYSIWYG) modes — the echozed markdown editor.",
   "type": "module",
   "license": "MIT",
@@ -45,10 +45,10 @@
   },
   "dependencies": {
     "dompurify": "^3.4.3",
-    "@echozedlabs/core": "0.1.0",
-    "@echozedlabs/codemirror": "0.1.0",
-    "@echozedlabs/renderers": "0.1.0",
-    "@echozedlabs/wysiwyg-lexical": "0.1.0"
+    "@echozedlabs/codemirror": "0.2.0",
+    "@echozedlabs/core": "0.2.0",
+    "@echozedlabs/renderers": "0.2.0",
+    "@echozedlabs/wysiwyg-lexical": "0.2.0"
   },
   "peerDependencies": {
     "react": ">=18.2.0",