@govtechsg/oobee 0.10.86 → 0.10.88

package/examples/oobee-test-details-runner.js

@@ -0,0 +1,214 @@
+/**
+ * Details Output Demo
+ *
+ * Runs scanPage against intentionally non-compliant test pages to capture the
+ * enriched Details messages for: color-contrast, color-contrast-enhanced,
+ * target-size, valid-lang, and oobee-grading-text-contents.
+ *
+ * Usage: node examples/details-runner.js
+ */
+import { chromium } from 'playwright';
+import { scanPage } from '../dist/npmIndex.js';
+import { gradeReadability } from '../dist/crawlers/custom/gradeReadability.js';
+
+// --- Test HTML pages ---
+
+const colorContrastHTML = `
+<!DOCTYPE html>
+<html lang="en">
+<head><title>Color Contrast Test</title></head>
+<body style="background-color: #ffffff;">
+  <h1>Color Contrast Violations</h1>
+  <p style="color: #999999; font-size: 14px;">This light gray text on white background fails AA contrast</p>
+  <p style="color: #aaaaaa; font-size: 14px; background-color: #f0f0f0;">Very light gray on light gray</p>
+  <button style="background-color: #55aa99; color: #e8ffe8; font-size: 12px;">Low contrast button</button>
+</body>
+</html>
+`;
+
+const colorContrastEnhancedHTML = `
+<!DOCTYPE html>
+<html lang="en">
+<head><title>Color Contrast Enhanced Test</title></head>
+<body style="background-color: #ffffff;">
+  <h1>Color Contrast Enhanced AAA Violations</h1>
+  <p style="color: #757575; font-size: 14px;">This text passes AA but fails AAA needs 7 to 1</p>
+  <p style="color: #6b6b6b; font-size: 12px;">Small text needs 7 to 1 for AAA</p>
+</body>
+</html>
+`;
+
+const targetSizeHTML = `
+<!DOCTYPE html>
+<html lang="en">
+<head><title>Target Size Test</title>
+<style>
+body { font-family: sans-serif; padding: 40px; }
+.icon-link {
+  display: inline-block;
+  width: 16px;
+  height: 16px;
+  font-size: 10px;
+  line-height: 16px;
+  text-align: center;
+  text-decoration: none;
+  color: #333;
+  overflow: hidden;
+}
+</style>
+</head>
+<body>
+<main>
+<h1>Icon-sized interactive targets</h1>
+<a href="/a" class="icon-link" style="width: 16px; height: 16px;">A</a>
+<a href="/b" class="icon-link" style="width: 16px; height: 16px;">B</a>
+<a href="/c" class="icon-link" style="width: 16px; height: 16px;">C</a>
+</main>
+</body>
+</html>
+`;
+
+const validLangHTML = `
+<!DOCTYPE html>
+<html lang="x-sindarin">
+<head><title>Valid Lang Test</title></head>
+<body>
+  <main>
+  <h1>Valid Lang Violation</h1>
+  <p>This page uses a private-use language subtag that is not valid according to BCP 47.</p>
+  <div lang="x-klingon">This section also has an invalid private-use lang tag with some sample text content for context.</div>
+  </main>
+</body>
+</html>
+`;
+
+const readabilityHTML = `
+<!DOCTYPE html>
+<html lang="en">
+<head><title>Readability Test</title></head>
+<body>
+  <main>
+  <h1>Building Safety Standards</h1>
+  <p>The committee reviewed the proposed changes to the building safety standards last Thursday. Members noted that the current regulations do not address modern construction materials adequately. Several technical amendments were suggested to improve clarity for contractors and inspectors. The revised standards will require additional testing for fire resistance in commercial properties. Public consultation on these proposed changes will remain open until the end of next quarter. Building owners should review the draft guidelines to understand potential compliance requirements.</p>
+  </main>
+</body>
+</html>
+`;
+
+// --- Helpers ---
+
+function extractMessages(result, ruleId) {
+  const messages = [];
+  for (const category of ['mustFix', 'goodToFix', 'needsReview']) {
+    const rules = result?.[category]?.rules;
+    if (rules && rules[ruleId]) {
+      const rule = rules[ruleId];
+      messages.push({
+        category,
+        rule: rule.rule || ruleId,
+        description: rule.description,
+        totalItems: rule.totalItems,
+        items: rule.items?.map(item => ({
+          html: item.html || item.element,
+          message: item.message,
+        })),
+      });
+    }
+  }
+  return messages;
+}
+
+// --- Main ---
+
+(async () => {
+  console.log("Launching browser...");
+  const browser = await chromium.launch({ headless: true });
+  const output = {};
+
+  // 1. Color Contrast (AA)
+  console.log("Scanning: color-contrast...");
+  try {
+    const page = await browser.newPage();
+    await page.setContent(colorContrastHTML);
+    const result = await scanPage(page, {
+      name: "Test", email: "test@test.com", pageTitle: "Color Contrast Test",
+    });
+    output['color-contrast'] = extractMessages(result, 'color-contrast');
+    await page.close();
+  } catch (e) { console.error("color-contrast error:", e.message); }
+
+  // 2. Color Contrast Enhanced (AAA)
+  console.log("Scanning: color-contrast-enhanced...");
+  try {
+    const page = await browser.newPage();
+    await page.setContent(colorContrastEnhancedHTML);
+    const result = await scanPage(page, {
+      name: "Test", email: "test@test.com", pageTitle: "Color Contrast Enhanced Test",
+      ruleset: ['default', 'enable-wcag-aaa'],
+    });
+    output['color-contrast-enhanced'] = extractMessages(result, 'color-contrast-enhanced');
+    await page.close();
+  } catch (e) { console.error("color-contrast-enhanced error:", e.message); }
+
+  // 3. Target Size
+  console.log("Scanning: target-size...");
+  try {
+    const page = await browser.newPage();
+    await page.setContent(targetSizeHTML);
+    const result = await scanPage(page, {
+      name: "Test", email: "test@test.com", pageTitle: "Target Size Test",
+    });
+    output['target-size'] = extractMessages(result, 'target-size');
+    await page.close();
+  } catch (e) { console.error("target-size error:", e.message); }
+
+  // 4. Valid Lang
+  console.log("Scanning: valid-lang...");
+  try {
+    const page = await browser.newPage();
+    await page.setContent(validLangHTML);
+    const result = await scanPage(page, {
+      name: "Test", email: "test@test.com", pageTitle: "Valid Lang Test",
+    });
+    output['valid-lang'] = extractMessages(result, 'valid-lang');
+    await page.close();
+  } catch (e) { console.error("valid-lang error:", e.message); }
+
+  // 5. Readability (oobee-grading-text-contents)
+  console.log("Scanning: oobee-grading-text-contents...");
+  try {
+    const page = await browser.newPage();
+    await page.setContent(readabilityHTML);
+
+    // Simulate what the crawler does: extract text, grade readability
+    const textContent = readabilityHTML.replace(/<[^>]+>/g, ' ').replace(/\s+/g, ' ').trim();
+    const sentences = textContent.split(/(?<=[.!?])\s+/).filter(s => s.trim().length > 0);
+    const flag = gradeReadability(sentences);
+    console.log(`  Readability flag: "${flag}"`);
+
+    if (flag) {
+      const score = parseFloat(flag);
+      let interpretation = '';
+      if (score > 30) interpretation = 'It is targeted for junior college (JC) level comprehension and above.';
+      else interpretation = 'It is targeted for university graduate level comprehension and above.';
+
+      output['oobee-grading-text-contents'] = [{
+        category: 'needsReview',
+        rule: 'oobee-grading-text-contents',
+        description: 'Page content must use clear, plain language',
+        items: [{
+          html: '<html lang="en">...</html>',
+          message: `Text content is potentially difficult to read. It scored ${flag} out of 50 on the Flesch-Kincaid Readability Test. ${interpretation}`,
+        }],
+      }];
+    } else {
+      console.log("  Score filtered out (<=0 or >50). No violation triggered.");
+    }
+    await page.close();
+  } catch (e) { console.error("readability error:", e.message); }
+
+  await browser.close();
+
+  // Print results
+  console.log("\n" + JSON.stringify(output, null, 2));
+})();

package/examples/test-violations.html

@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<title>Combined Accessibility Test</title>
+<style>
+body { font-family: sans-serif; padding: 40px; }
+.icon-link {
+  display: inline-block;
+  width: 16px;
+  height: 16px;
+  font-size: 10px;
+  line-height: 16px;
+  text-align: center;
+  text-decoration: none;
+  color: #333;
+  overflow: hidden;
+}
+</style>
+</head>
+<body>
+<main>
+<h1>Accessibility Violations Test Page</h1>
+
+<h2>Color Contrast</h2>
+<p style="color: #999999; font-size: 14px;">This light gray text on white background fails AA contrast</p>
+<p style="color: #aaaaaa; font-size: 14px; background-color: #f0f0f0;">Very light gray on light gray</p>
+<button style="background-color: #55aa99; color: #e8ffe8; font-size: 12px;">Low contrast button</button>
+
+<h2>Target Size</h2>
+<a href="/a" class="icon-link" style="width: 16px; height: 16px;">A</a>
+<a href="/b" class="icon-link" style="width: 16px; height: 16px;">B</a>
+<a href="/c" class="icon-link" style="width: 16px; height: 16px;">C</a>
+
+<h2>Valid Lang</h2>
+<div lang="x-klingon">This section has an invalid private-use lang tag with some sample text content for context.</div>
+
+<h2>Readability</h2>
+<p>The committee reviewed the proposed changes to the building safety standards last Thursday. Members noted that the current regulations do not address modern construction materials adequately. Several technical amendments were suggested to improve clarity for contractors and inspectors. The revised standards will require additional testing for fire resistance in commercial properties. Public consultation on these proposed changes will remain open until the end of next quarter. Building owners should review the draft guidelines to understand potential compliance requirements.</p>
+
+</main>
+</body>
+</html>

package/fix-summary-html-oom-pr.md

@@ -0,0 +1,62 @@
+# fix: prevent OOM and browser crash in report generation for large scans
+
+## Summary
+
+- Fix `summary.ejs` inlining the entire scan items payload (2 GB+ for 1000-page scans) via `JSON.stringify`, causing V8 OOM and killing the process
+- Fix `report.html` embedded scanItems exceeding browser memory limits (746 MB uncompressed JSON for 1000-page scans)
+- Fix write stream backpressure handling when embedding chunked base64 data
+- `writeSummaryHTML` crash also blocked `report.html` generation since it runs first
+
+## Problem 1: OOM in summary.html generation (server-side)
+
+For large scans (e.g. 1000 pages, 2.5M+ passed occurrences), `summary.ejs` serialized the full `items` object — including every rule's `pagesAffected` array with all individual issue items — into an inline `<script>` tag. This produced a string exceeding V8's limits, crashing the process silently.
+
+The result: neither `summary.html` nor `report.html` were generated, even though all JSON artifacts (`scanData.json`, `scanItems.json`, etc.) were written successfully.
+
+## Problem 2: Browser cannot parse embedded scanItems (client-side)
+
+Even with report generation fixed, the browser failed to load the All Issues view:
+```
+Failed to decode/unzip/parse: Unexpected end of JSON input
+```
+
+Root cause: `convertItemsToReferences` stripped per-page `items` arrays but still embedded the full `pagesAffected` array (url, pageTitle, actualUrl, metadata, etc. for every page × every rule). For 1000-page scans this produced **746 MB of uncompressed JSON** after base64-decode and gunzip — exceeding browser string/memory limits during `JSON.parse()`.
+
+## Problem 3: Write stream backpressure (server-side)
+
+The `writeHTML` function writes scan items as 2 MB base64 chunks via a `for await` loop over a read stream. `outputStream.write()` was not being checked for backpressure — when the write buffer filled up, subsequent writes could be silently dropped, producing truncated base64.
+
+## Fix
+
+### summary.ejs (OOM fix)
+Strip the inline JSON to only what `summaryTable.ejs` actually needs:
+- Rule-level metadata: `description`, `helpUrl`, `conformance`, `totalItems`
+- `pagesAffected: { length: N }` (just the count object, not the full array)
+
+This reduces the serialized payload from potentially gigabytes to a few kilobytes regardless of scan size.
+
+### itemReferences.ts (browser payload fix)
+`convertItemsToReferences` now strips each `pagesAffected` entry down to only `url`, `pageTitle`, and `itemsCount` — removing all per-item details (html snippets, screenshots, xpath, metadata, etc.) that constituted the bulk of the data. The All Issues list renders rule totals, and the "Group By Page" view in the rule modal still shows page URLs with occurrence counts.
+
+This reduces the embedded payload from 746 MB (uncompressed) to ~11 MB for a 1000-page scan — well within browser memory limits.
+
+### mergeAxeResults.ts (backpressure fix)
+Await the `drain` event on the output stream when `write()` returns `false` before writing the next chunk. This ensures all base64 data is fully written to the report regardless of payload size.
+
+## Files changed
+
+| File | Change |
+|------|--------|
+| `src/static/ejs/summary.ejs` | Strip inline JSON to rule counts only |
+| `src/mergeAxeResults/itemReferences.ts` | Strip `pagesAffected` to lightweight entries (url, pageTitle, itemsCount only) |
+| `src/mergeAxeResults.ts` | Await drain on backpressure during chunked write |
+| `src/static/ejs/partials/scripts/ruleModal/ruleOffcanvas.ejs` | Fall back to `pagesAffectedCount` |
+| `src/static/ejs/partials/scripts/ruleModal/pageAccordionBuilder.ejs` | Fall back to `pagesAffectedCount` |
+
+## Test plan
+
+- [ ] Run a large scan (500+ pages) and verify both `summary.html` and `report.html` are generated
+- [ ] Open `summary.html` in a browser and verify the summary table renders correctly (issue counts, page counts, help links)
+- [ ] Open `report.html` and verify the All Issues list loads and displays rule counts correctly
+- [ ] Verify the rule modal shows correct "Pages affected" count
+- [ ] Verify small scans still produce correct reports (no regression)

package/package.json

@@ -1,19 +1,19 @@
 {
   "name": "@govtechsg/oobee",
   "main": "dist/npmIndex.js",
-  "version": "0.10.86",
+  "version": "0.10.88",
   "type": "module",
   "author": "Government Technology Agency <info@tech.gov.sg>",
   "bin": {
     "oobee": "./dist/cli.js"
   },
   "dependencies": {
-    "@aws-sdk/client-s3": "^3.893.0",
+    "@aws-sdk/client-s3": "^3.1049.0",
     "@json2csv/node": "^7.0.3",
     "@napi-rs/canvas": "^0.1.53",
     "@sentry/node": "^9.13.0",
     "@types/aws-sdk": "^0.0.42",
-    "axe-core": "^4.11.1",
+    "axe-core": "^4.11.4",
     "axios": "^1.8.2",
     "base64-stream": "^1.0.0",
     "cheerio": "^1.0.0-rc.12",
@@ -39,7 +39,7 @@
     "tldts": "^7.0.27",
     "typescript": "^5.4.5",
     "url": "^0.11.3",
-    "uuid": "^11.0.3",
+    "uuid": "^14.0.0",
     "validator": "^13.11.0",
     "which": "^4.0.0",
     "winston": "^3.11.0",
@@ -86,7 +86,7 @@
     "fast-xml-parser": ">=5.3.8",
     "js-yaml": "^4.1.1",
     "minimatch": "^10.2.4",
-    "brace-expansion": "^5.0.5",
+    "brace-expansion": "^5.0.6",
     "glob": "^13.0.6",
     "flatted": "^3.4.1",
     "file-type": "^21.3.3"

package/src/cli.ts

@@ -193,8 +193,11 @@ Usage: npm run cli -- -c <crawler> -d <device> -w <viewport> -u <url> OPTIONS`,
   .check(argvs => {
     const scanner = String(argvs.scanner ?? '');
 
-    if (argvs.strategy && scanner !== ScannerTypes.WEBSITE && scanner !== ScannerTypes.CUSTOM) {
-      throw new Error('-s or --strategy is only available in website and custom flow scans.');
+    if (argvs.strategy && scanner !== ScannerTypes.WEBSITE && scanner !== ScannerTypes.CUSTOM && scanner !== ScannerTypes.INTELLIGENT && scanner !== ScannerTypes.SITEMAP) {
+      throw new Error('-s or --strategy is only available in website, custom flow, intelligent, and sitemap scans.');
+    }
+    if (argvs.strategy === 'ignore' && scanner !== ScannerTypes.SITEMAP) {
+      throw new Error('-s ignore is only available for sitemap scans.');
     }
     return true;
   })
@@ -210,14 +213,21 @@ Usage: npm run cli -- -c <crawler> -d <device> -w <viewport> -u <url> OPTIONS`,
     return duration;
   })
   .check(argvs => {
-    if (argvs.scanner !== ScannerTypes.WEBSITE && argvs.strategy) {
-      throw new Error('-s or --strategy is only available in website scans.');
+    if (argvs.scanner !== ScannerTypes.WEBSITE && argvs.scanner !== ScannerTypes.CUSTOM && argvs.scanner !== ScannerTypes.INTELLIGENT && argvs.scanner !== ScannerTypes.SITEMAP && argvs.strategy) {
+      throw new Error('-s or --strategy is only available in website, custom flow, intelligent, and sitemap scans.');
+    }
+    if (argvs.strategy === 'ignore' && argvs.scanner !== ScannerTypes.SITEMAP) {
+      throw new Error('-s ignore is only available for sitemap scans.');
     }
     return true;
   })
   .conflicts('d', 'w')
   .parse() as unknown as Answers;
 
+if (!options.strategy) {
+  options.strategy = options.scanner === ScannerTypes.SITEMAP ? 'ignore' : 'same-domain';
+}
+
 const scanInit = async (argvs: Answers): Promise<string> => {
   const updatedArgvs = { ...argvs };
 
@@ -250,7 +260,11 @@ const scanInit = async (argvs: Answers): Promise<string> => {
     consoleLogger.info(`Connectivity Check HTTP Response Code: ${res.httpStatus}`);
 
   if (res.status === statuses.success.code) {
-    data.url = res.url;
+    // Custom flow should continue from the user-provided entry URL so auth redirects
+    // do not replace the original domain used for overlay gating and navigation.
+    if (data.type !== ScannerTypes.CUSTOM) {
+      data.url = res.url;
+    }
     if (process.env.OOBEE_VALIDATE_URL) {
       consoleLogger.info('Url is valid');
       cleanUpAndExit(0, data.randomToken);

package/src/combine.ts

@@ -161,6 +161,8 @@ const combineRun = async (details: Data, deviceToScan: string) => {
         blacklistedPatterns,
         includeScreenshots,
         extraHTTPHeaders,
+        strategy,
+        userUrl: url,
         scanDuration,
       });
       urlsCrawledObj = sitemapResult.urlsCrawled;
@@ -182,6 +184,7 @@ const combineRun = async (details: Data, deviceToScan: string) => {
         includeScreenshots,
         extraHTTPHeaders,
         scanDuration,
+        ruleset,
       });
       if (localFileResult) {
         if ('urlsCrawled' in localFileResult) {

package/src/constants/cliFunctions.ts

@@ -168,8 +168,8 @@ export const cliOptions: { [key: string]: Options } = {
   s: {
     alias: 'strategy',
     describe:
-      'Crawls up to general (same parent) domains, or only specific hostname. Defaults to "same-domain".',
-    choices: ['same-domain', 'same-hostname'],
+      'Crawls up to general (same parent) domains, or only specific hostname. Use "ignore" to disable URL filtering (default for sitemap scans). Defaults to "same-domain".',
+    choices: ['same-domain', 'same-hostname', 'ignore'],
     requiresArg: true,
     demandOption: false,
   },

package/src/constants/common.ts

@@ -33,7 +33,7 @@ import constants, {
 } from './constants.js';
 import { consoleLogger } from '../logs.js';
 import { isUrlPdf } from '../crawlers/commonCrawlerFunc.js';
-import { cleanUpAndExit, randomThreeDigitNumberString, register } from '../utils.js';
+import { cleanUpAndExit, isFollowStrategy, randomThreeDigitNumberString, register } from '../utils.js';
 import { Answers, Data } from '../index.js';
 import { DeviceDescriptor } from '../types/types.js';
 import { getProxyInfo, proxyInfoToResolution, ProxySettings } from '../proxyService.js';
@@ -746,7 +746,9 @@ export const prepareData = async (argv: Answers): Promise<Data> => {
     playwrightDeviceDetailsObject,
     maxRequestsPerCrawl: maxpages || constants.maxRequestsPerCrawl,
     strategy:
-      strategy === 'same-hostname' ? EnqueueStrategy.SameHostname : EnqueueStrategy.SameDomain,
+      strategy === 'same-hostname' ? EnqueueStrategy.SameHostname
+      : strategy === 'ignore' ? EnqueueStrategy.All
+      : EnqueueStrategy.SameDomain,
     isLocalFileScan,
     browser: browserToRun,
     nameEmail,
@@ -804,7 +806,11 @@ export const getUrlsFromRobotsTxt = async (
   const disallowedUrls = [];
   const allowedUrls = [];
 
-  const sanitisePattern = (pattern: string): string => {
+  // Returns 1–2 minimatch glob patterns for a single robots.txt path pattern.
+  // Two patterns are returned for bare paths (no trailing wildcard) so that
+  // both the exact URL and all child paths are blocked, matching robots.txt
+  // prefix semantics.
+  const sanitisePattern = (pattern: string): string[] => {
     const directoryRegex = /^\/(?:[^?#/]+\/)*[^?#]*$/;
     const subdirWildcardRegex = /\/\*\//g;
     const filePathRegex = /^\/(?:[^\/]+\/)*[^\/]+\.[a-zA-Z0-9]{1,6}$/;
@@ -812,16 +818,30 @@ export const getUrlsFromRobotsTxt = async (
     if (subdirWildcardRegex.test(pattern)) {
       pattern = pattern.replace(subdirWildcardRegex, '/**/');
     }
+
+    // Query-string patterns (e.g. /faq?faqItem= or /faq/?faq&faqItem=):
+    // '?' is the query separator in robots.txt but a single-char wildcard in
+    // minimatch. Escape it to a literal match and append '*' so any query
+    // value after the stated prefix is also blocked.
+    if (pattern.includes('?')) {
+      return [domain + pattern.replace('?', '\\?') + '*'];
+    }
+
     if (pattern.match(directoryRegex) && !pattern.match(filePathRegex)) {
       if (pattern.endsWith('*')) {
-        pattern = pattern.concat('*');
+        // e.g. /ebook/* → /ebook/** (already covers all children)
+        return [domain + pattern.concat('*')];
       } else {
-        if (!pattern.endsWith('/')) pattern = pattern.concat('/');
-        pattern = pattern.concat('**');
+        // Bare path (e.g. /subscription/unsubscribe): robots.txt blocks the
+        // exact URL *and* every descendant. minimatch's '/**' glob does not
+        // match the bare path itself (no trailing slash), so we emit both the
+        // exact-path pattern and a children glob.
+        const base = domain + pattern;
+        const children = domain + (pattern.endsWith('/') ? pattern : pattern + '/') + '**';
+        return [base, children];
       }
     }
-    const final = domain.concat(pattern);
-    return final;
+    return [domain + pattern];
   };
 
   for (const line of lines) {
@@ -832,14 +852,12 @@ export const getUrlsFromRobotsTxt = async (
     } else if (shouldCapture && line.toLowerCase().startsWith('disallow:')) {
       let disallowed = line.substring('disallow: '.length).trim();
       if (disallowed) {
-        disallowed = sanitisePattern(disallowed);
-        disallowedUrls.push(disallowed);
+        disallowedUrls.push(...sanitisePattern(disallowed));
       }
     } else if (shouldCapture && line.toLowerCase().startsWith('allow:')) {
       let allowed = line.substring('allow: '.length).trim();
       if (allowed) {
-        allowed = sanitisePattern(allowed);
-        allowedUrls.push(allowed);
+        allowedUrls.push(...sanitisePattern(allowed));
       }
     }
   }
@@ -899,6 +917,38 @@ const getRobotsTxtViaPlaywright = async (
   }
 };
 
+export const getSitemapsFromRobotsTxt = async (
+  url: string,
+  browser: string,
+  userDataDirectory: string,
+  extraHTTPHeaders: Record<string, string>,
+): Promise<string[]> => {
+  const domain = new URL(url).origin;
+  const robotsUrl = domain.concat('/robots.txt');
+
+  let robotsTxt: string;
+  try {
+    robotsTxt = await getRobotsTxtViaPlaywright(robotsUrl, browser, userDataDirectory, extraHTTPHeaders);
+  } catch (e) {
+    consoleLogger.info(`Unable to fetch robots.txt from ${robotsUrl} for sitemap discovery`);
+    return [];
+  }
+
+  if (!robotsTxt) return [];
+
+  const sitemaps: string[] = [];
+  const lines = robotsTxt.split(/\r?\n/);
+  for (const line of lines) {
+    if (line.toLowerCase().startsWith('sitemap:')) {
+      const sitemapUrl = line.substring('sitemap:'.length).trim();
+      if (sitemapUrl) {
+        sitemaps.push(sitemapUrl);
+      }
+    }
+  }
+  return sitemaps;
+};
+
 export const isDisallowedInRobotsTxt = (url: string): boolean => {
   if (!constants.robotsTxtUrls) return;
 
@@ -931,6 +981,8 @@ export const getLinksFromSitemap = async (
   userUrlInput: string,
   isIntelligent: boolean,
   extraHTTPHeaders: Record<string, string>,
+  strategy: EnqueueStrategy = EnqueueStrategy.All,
+  userUrl: string = userUrlInput,
 ) => {
   const scannedSitemaps = new Set<string>();
   const urls: Record<string, Request> = {}; // dictionary of requests to urls to be scanned
@@ -940,6 +992,7 @@ export const getLinksFromSitemap = async (
   const addToUrlList = (url: string) => {
     if (!url) return;
     if (isDisallowedInRobotsTxt(url)) return;
+    if (!isFilePath(userUrl) && !isFollowStrategy(url, userUrl, strategy)) return;
 
     url = convertPathToLocalFile(url);