npm - @particle-academy/react-fancy - Versions diffs - 2.4.0 → 2.5.0 - Mend

@particle-academy/react-fancy 2.4.0 → 2.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/index.d.cts CHANGED Viewed

@@ -1615,6 +1615,14 @@ interface EditorProps {
     placeholder?: string;
     /** Per-instance render extensions. Merged with any globally-registered extensions. */
     extensions?: RenderExtension[];
+    /**
+     * Skip HTML sanitization of the initial value. By default the initial markdown/HTML
+     * is sanitized to remove `<script>`, `<iframe>`, event handlers, and `javascript:`
+     * URIs before being placed into contentEditable. Pass `unsafe` only when the
+     * initial value is fully trusted.
+     * @default false
+     */
+    unsafe?: boolean;
 }
 declare function EditorToolbar({ actions, onAction, children, className, }: EditorToolbarProps): react_jsx_runtime.JSX.Element;
@@ -1632,7 +1640,7 @@ declare namespace EditorContent {
     var displayName: string;
 }
-declare function EditorRoot({ children, className, value: controlledValue, defaultValue, onChange, outputFormat, lineSpacing, placeholder, extensions: instanceExtensions, }: EditorProps): react_jsx_runtime.JSX.Element;
+declare function EditorRoot({ children, className, value: controlledValue, defaultValue, onChange, outputFormat, lineSpacing, placeholder, extensions: instanceExtensions, unsafe, }: EditorProps): react_jsx_runtime.JSX.Element;
 declare const Editor: typeof EditorRoot & {
     Toolbar: typeof EditorToolbar & {
         Separator: typeof EditorToolbarSeparator;
@@ -1664,9 +1672,17 @@ interface ContentRendererProps {
     className?: string;
     /** Per-instance render extensions. Merged with any globally-registered extensions. */
     extensions?: RenderExtension[];
+    /**
+     * Skip HTML sanitization. By default, rendered output is sanitized to remove
+     * `<script>`, `<iframe>`, event handlers, and `javascript:` URIs. Pass
+     * `unsafe` only when the input is fully trusted (e.g. server-rendered
+     * markdown from your own CMS).
+     * @default false
+     */
+    unsafe?: boolean;
 }
-declare function ContentRenderer({ value, format, lineSpacing, className, extensions: instanceExtensions, }: ContentRendererProps): react_jsx_runtime.JSX.Element;
+declare function ContentRenderer({ value, format, lineSpacing, className, extensions: instanceExtensions, unsafe, }: ContentRendererProps): react_jsx_runtime.JSX.Element;
 declare namespace ContentRenderer {
     var displayName: string;
 }
@@ -2243,6 +2259,35 @@ declare function useTreeNav(): TreeNavContextValue;
 declare function cn(...inputs: ClassValue[]): string;
+/**
+ * HTML and URL sanitization utilities.
+ *
+ * Hand-rolled (no third-party deps) using browser-native `DOMParser`. Designed
+ * for the trust model "consumer passes user-generated markdown/HTML to a
+ * react-fancy component" — strips script tags, event handlers, and dangerous
+ * URI schemes from `href`/`src` attributes.
+ *
+ * For server-side rendering (no `window`), `sanitizeHtml` returns the input
+ * unchanged. Consumers SSR-rendering untrusted content should sanitize on the
+ * server with their own pipeline.
+ */
+/**
+ * Validate a URL/href against an allow-list of safe protocols. Returns the
+ * input if safe, or `undefined` if it begins with a dangerous scheme like
+ * `javascript:`, `data:`, or `vbscript:`. Relative URLs and fragment links
+ * are allowed.
+ */
+declare function sanitizeHref(href: string | undefined | null): string | undefined;
+/**
+ * Sanitize an HTML string by removing dangerous tags (script, iframe, etc.),
+ * event-handler attributes (`onclick`, `onerror`, ...), and dangerous URI
+ * schemes in `href`/`src` attributes.
+ *
+ * Uses the browser's `DOMParser`. In non-browser environments returns the
+ * input unchanged — sanitize on the server in those cases.
+ */
+declare function sanitizeHtml(html: string): string;
 declare function useControllableState<T>(controlledValue: T | undefined, defaultValue: T, onChange?: (value: T) => void): [T, (value: T | ((prev: T) => T)) => void];
 declare function useOutsideClick(ref: RefObject<HTMLElement | null>, handler: (event: MouseEvent | TouchEvent) => void, enabled?: boolean, ignoreRef?: RefObject<HTMLElement | null>): void;
@@ -2277,4 +2322,4 @@ declare function useAnimation({ open, enterClass, exitClass, }: UseAnimationOpti
 declare function useId(prefix?: string): string;
-export { Accordion, type AccordionContentProps, type AccordionContextValue, type AccordionItemProps, type AccordionProps, type AccordionTriggerProps, Action, type ActionColor, type ActionProps, type AffixPosition, Autocomplete, type AutocompleteOption, type AutocompleteProps, Avatar, type AvatarProps, Badge, type BadgeProps, Brand, type BrandProps, Breadcrumbs, type BreadcrumbsItemProps, type BreadcrumbsProps, Calendar, type CalendarMode, type CalendarProps, Callout, type CalloutProps, Canvas, type CanvasContextValue, type CanvasControlsProps, type CanvasEdgeProps, type CanvasMinimapProps, type CanvasNodeProps, type CanvasProps, Card, type CardBodyProps, type CardFooterProps, type CardHeaderProps, type CardProps, Carousel, type CarouselContextValue, type CarouselControlsProps, type CarouselPanelsProps, type CarouselProps, type CarouselSlideProps, type CarouselStepsProps, type CarouselVariant, Chart, type ChartAreaProps, type ChartBarData, type ChartBarProps, type ChartCommonProps, type ChartDonutData, type ChartDonutProps, type ChartHorizontalBarProps, type ChartLineProps, type ChartPieData, type ChartPieProps, type ChartSeries, type ChartSparklineProps, type ChartStackedBarProps, Checkbox, CheckboxGroup, type CheckboxGroupProps, type CheckboxProps, type Color, ColorPicker, type ColorPickerProps, Command, type CommandContextValue, type CommandEmptyProps, type CommandGroupProps, type CommandInputProps, type CommandItemProps, type CommandListProps, type CommandProps, Composer, type ComposerProps, ContentRenderer, type ContentRendererProps, ContextMenu, type ContextMenuContentProps, type ContextMenuContextValue, type ContextMenuItemProps, type ContextMenuProps, type ContextMenuSeparatorProps, type ContextMenuTriggerProps, DatePicker, type DatePickerProps, type DateRange, Diagram, type DiagramContextValue, type DiagramEntityData, type DiagramEntityProps, type DiagramFieldData, type DiagramFieldProps, type DiagramProps, type DiagramRelationData, type DiagramRelationProps, type DiagramSchema, type DiagramToolbarProps, type DiagramType, type DropPosition, Dropdown, type DropdownContextValue, type DropdownItemProps, type DropdownItemsProps, type DropdownProps, type DropdownSeparatorProps, type DropdownTriggerProps, EMOJI_CATEGORY_ORDER, EMOJI_DATA, EMOJI_ENTRIES, type EdgeAnchor, Editor, type EditorAction, type EditorContentProps, type EditorContextValue, type EditorProps, type EditorToolbarProps, Emoji, type EmojiCategory, type EmojiCategoryKey, type EmojiEntry, type EmojiFlatEntry, type EmojiProps, EmojiSelect, type EmojiSelectProps, type ExportFormat, Field, type FieldProps, FileUpload, type FileUploadContextValue, type FileUploadDropzoneProps, type FileUploadListProps, type FileUploadProps, Heading, type HeadingProps, Icon, type IconProps, type IconSet, Input, type InputAffixProps, type InputBaseProps, type InputOption, type InputOptionGroup, type InputProps, Kanban, type KanbanCardProps, type KanbanColumnProps, type KanbanContextValue, type KanbanProps, Menu, type MenuContextValue, type MenuGroupProps, type MenuItemProps, type MenuOrientation, type MenuProps, type MenuSubmenuProps, MobileMenu, type MobileMenuBottomBarProps, type MobileMenuContextValue, type MobileMenuFlyoutProps, type MobileMenuItemProps, type MobileMenuSide, type MobileMenuVariant, Modal, type ModalBodyProps, type ModalContextValue, type ModalFooterProps, type ModalHeaderProps, type ModalProps, MultiSwitch, type MultiSwitchProps, Navbar, type NavbarBrandProps, type NavbarContextValue, type NavbarItemProps, type NavbarItemsProps, type NavbarProps, type NavbarToggleProps, type NodeRect, OtpInput, type OtpInputProps, Pagination, type PaginationProps, Pillbox, type PillboxProps, type Placement, Popover, type PopoverContentProps, type PopoverContextValue, type PopoverProps, type PopoverTriggerProps, Portal, type PortalProps, Profile, type ProfileProps, Progress, type ProgressProps, RadioGroup, type RadioGroupProps, type RelationType, type RenderExtension, type RenderExtensionProps, SKIN_TONES, Select, type SelectProps, Separator, type SeparatorProps, Sidebar, type SidebarCollapseMode, type SidebarContextValue, type SidebarGroupProps, type SidebarItemProps, type SidebarProps, type SidebarSubmenuProps, type SidebarToggleProps, type Size, Skeleton, type SkeletonProps, type SkinTone, Slider, type SliderProps, Switch, type SwitchProps, Table, type TableBodyProps, type TableCellProps, type TableColumnProps, type TableHeadProps, type TablePaginationProps, type TableProps, type TableRowProps, type TableRowTrayProps, type TableSearchProps, type TableTrayProps, Tabs, type TabsContextValue, type TabsListProps, type TabsPanelProps, type TabsPanelsProps, type TabsProps, type TabsTabProps, type TabsVariant, Text, type TextProps, Textarea, type TextareaProps, TimePicker, type TimePickerProps, Timeline, type TimelineBlockProps, type TimelineEvent, type TimelineItemProps, type TimelineOrientation, type TimelineProps, type TimelineVariant, Toast, type ToastContextValue, type ToastData, type ToastPosition, type ToastProviderProps, type ToastVariant, Tooltip, type TooltipProps, TreeNav, type TreeNavContextValue, type TreeNavProps, type TreeNodeData, type TreeNodeProps, type Variant, type ViewportState, applyTone, cn, configureIcons, find, hasSkinTones, registerExtension, registerExtensions, registerIconSet, registerIcons, resolve, search, skinTones, useAccordion, useAnimation, useCanvas, useCarousel, useCommand, useContextMenu, useControllableState, useDiagram, useDropdown, useEditor, useEscapeKey, useFileUpload, useFloatingPosition, useFocusTrap, useId, useKanban, useMenu, useMobileMenu, useModal, useNavbar, useNodeRegistry, useOutsideClick, usePanZoom, usePopover, useSidebar, useTabs, useToast, useTreeNav };
+export { Accordion, type AccordionContentProps, type AccordionContextValue, type AccordionItemProps, type AccordionProps, type AccordionTriggerProps, Action, type ActionColor, type ActionProps, type AffixPosition, Autocomplete, type AutocompleteOption, type AutocompleteProps, Avatar, type AvatarProps, Badge, type BadgeProps, Brand, type BrandProps, Breadcrumbs, type BreadcrumbsItemProps, type BreadcrumbsProps, Calendar, type CalendarMode, type CalendarProps, Callout, type CalloutProps, Canvas, type CanvasContextValue, type CanvasControlsProps, type CanvasEdgeProps, type CanvasMinimapProps, type CanvasNodeProps, type CanvasProps, Card, type CardBodyProps, type CardFooterProps, type CardHeaderProps, type CardProps, Carousel, type CarouselContextValue, type CarouselControlsProps, type CarouselPanelsProps, type CarouselProps, type CarouselSlideProps, type CarouselStepsProps, type CarouselVariant, Chart, type ChartAreaProps, type ChartBarData, type ChartBarProps, type ChartCommonProps, type ChartDonutData, type ChartDonutProps, type ChartHorizontalBarProps, type ChartLineProps, type ChartPieData, type ChartPieProps, type ChartSeries, type ChartSparklineProps, type ChartStackedBarProps, Checkbox, CheckboxGroup, type CheckboxGroupProps, type CheckboxProps, type Color, ColorPicker, type ColorPickerProps, Command, type CommandContextValue, type CommandEmptyProps, type CommandGroupProps, type CommandInputProps, type CommandItemProps, type CommandListProps, type CommandProps, Composer, type ComposerProps, ContentRenderer, type ContentRendererProps, ContextMenu, type ContextMenuContentProps, type ContextMenuContextValue, type ContextMenuItemProps, type ContextMenuProps, type ContextMenuSeparatorProps, type ContextMenuTriggerProps, DatePicker, type DatePickerProps, type DateRange, Diagram, type DiagramContextValue, type DiagramEntityData, type DiagramEntityProps, type DiagramFieldData, type DiagramFieldProps, type DiagramProps, type DiagramRelationData, type DiagramRelationProps, type DiagramSchema, type DiagramToolbarProps, type DiagramType, type DropPosition, Dropdown, type DropdownContextValue, type DropdownItemProps, type DropdownItemsProps, type DropdownProps, type DropdownSeparatorProps, type DropdownTriggerProps, EMOJI_CATEGORY_ORDER, EMOJI_DATA, EMOJI_ENTRIES, type EdgeAnchor, Editor, type EditorAction, type EditorContentProps, type EditorContextValue, type EditorProps, type EditorToolbarProps, Emoji, type EmojiCategory, type EmojiCategoryKey, type EmojiEntry, type EmojiFlatEntry, type EmojiProps, EmojiSelect, type EmojiSelectProps, type ExportFormat, Field, type FieldProps, FileUpload, type FileUploadContextValue, type FileUploadDropzoneProps, type FileUploadListProps, type FileUploadProps, Heading, type HeadingProps, Icon, type IconProps, type IconSet, Input, type InputAffixProps, type InputBaseProps, type InputOption, type InputOptionGroup, type InputProps, Kanban, type KanbanCardProps, type KanbanColumnProps, type KanbanContextValue, type KanbanProps, Menu, type MenuContextValue, type MenuGroupProps, type MenuItemProps, type MenuOrientation, type MenuProps, type MenuSubmenuProps, MobileMenu, type MobileMenuBottomBarProps, type MobileMenuContextValue, type MobileMenuFlyoutProps, type MobileMenuItemProps, type MobileMenuSide, type MobileMenuVariant, Modal, type ModalBodyProps, type ModalContextValue, type ModalFooterProps, type ModalHeaderProps, type ModalProps, MultiSwitch, type MultiSwitchProps, Navbar, type NavbarBrandProps, type NavbarContextValue, type NavbarItemProps, type NavbarItemsProps, type NavbarProps, type NavbarToggleProps, type NodeRect, OtpInput, type OtpInputProps, Pagination, type PaginationProps, Pillbox, type PillboxProps, type Placement, Popover, type PopoverContentProps, type PopoverContextValue, type PopoverProps, type PopoverTriggerProps, Portal, type PortalProps, Profile, type ProfileProps, Progress, type ProgressProps, RadioGroup, type RadioGroupProps, type RelationType, type RenderExtension, type RenderExtensionProps, SKIN_TONES, Select, type SelectProps, Separator, type SeparatorProps, Sidebar, type SidebarCollapseMode, type SidebarContextValue, type SidebarGroupProps, type SidebarItemProps, type SidebarProps, type SidebarSubmenuProps, type SidebarToggleProps, type Size, Skeleton, type SkeletonProps, type SkinTone, Slider, type SliderProps, Switch, type SwitchProps, Table, type TableBodyProps, type TableCellProps, type TableColumnProps, type TableHeadProps, type TablePaginationProps, type TableProps, type TableRowProps, type TableRowTrayProps, type TableSearchProps, type TableTrayProps, Tabs, type TabsContextValue, type TabsListProps, type TabsPanelProps, type TabsPanelsProps, type TabsProps, type TabsTabProps, type TabsVariant, Text, type TextProps, Textarea, type TextareaProps, TimePicker, type TimePickerProps, Timeline, type TimelineBlockProps, type TimelineEvent, type TimelineItemProps, type TimelineOrientation, type TimelineProps, type TimelineVariant, Toast, type ToastContextValue, type ToastData, type ToastPosition, type ToastProviderProps, type ToastVariant, Tooltip, type TooltipProps, TreeNav, type TreeNavContextValue, type TreeNavProps, type TreeNodeData, type TreeNodeProps, type Variant, type ViewportState, applyTone, cn, configureIcons, find, hasSkinTones, registerExtension, registerExtensions, registerIconSet, registerIcons, resolve, sanitizeHref, sanitizeHtml, search, skinTones, useAccordion, useAnimation, useCanvas, useCarousel, useCommand, useContextMenu, useControllableState, useDiagram, useDropdown, useEditor, useEscapeKey, useFileUpload, useFloatingPosition, useFocusTrap, useId, useKanban, useMenu, useMobileMenu, useModal, useNavbar, useNodeRegistry, useOutsideClick, usePanZoom, usePopover, useSidebar, useTabs, useToast, useTreeNav };

package/dist/index.d.ts CHANGED Viewed

@@ -1615,6 +1615,14 @@ interface EditorProps {
     placeholder?: string;
     /** Per-instance render extensions. Merged with any globally-registered extensions. */
     extensions?: RenderExtension[];
+    /**
+     * Skip HTML sanitization of the initial value. By default the initial markdown/HTML
+     * is sanitized to remove `<script>`, `<iframe>`, event handlers, and `javascript:`
+     * URIs before being placed into contentEditable. Pass `unsafe` only when the
+     * initial value is fully trusted.
+     * @default false
+     */
+    unsafe?: boolean;
 }
 declare function EditorToolbar({ actions, onAction, children, className, }: EditorToolbarProps): react_jsx_runtime.JSX.Element;
@@ -1632,7 +1640,7 @@ declare namespace EditorContent {
     var displayName: string;
 }
-declare function EditorRoot({ children, className, value: controlledValue, defaultValue, onChange, outputFormat, lineSpacing, placeholder, extensions: instanceExtensions, }: EditorProps): react_jsx_runtime.JSX.Element;
+declare function EditorRoot({ children, className, value: controlledValue, defaultValue, onChange, outputFormat, lineSpacing, placeholder, extensions: instanceExtensions, unsafe, }: EditorProps): react_jsx_runtime.JSX.Element;
 declare const Editor: typeof EditorRoot & {
     Toolbar: typeof EditorToolbar & {
         Separator: typeof EditorToolbarSeparator;
@@ -1664,9 +1672,17 @@ interface ContentRendererProps {
     className?: string;
     /** Per-instance render extensions. Merged with any globally-registered extensions. */
     extensions?: RenderExtension[];
+    /**
+     * Skip HTML sanitization. By default, rendered output is sanitized to remove
+     * `<script>`, `<iframe>`, event handlers, and `javascript:` URIs. Pass
+     * `unsafe` only when the input is fully trusted (e.g. server-rendered
+     * markdown from your own CMS).
+     * @default false
+     */
+    unsafe?: boolean;
 }
-declare function ContentRenderer({ value, format, lineSpacing, className, extensions: instanceExtensions, }: ContentRendererProps): react_jsx_runtime.JSX.Element;
+declare function ContentRenderer({ value, format, lineSpacing, className, extensions: instanceExtensions, unsafe, }: ContentRendererProps): react_jsx_runtime.JSX.Element;
 declare namespace ContentRenderer {
     var displayName: string;
 }
@@ -2243,6 +2259,35 @@ declare function useTreeNav(): TreeNavContextValue;
 declare function cn(...inputs: ClassValue[]): string;
+/**
+ * HTML and URL sanitization utilities.
+ *
+ * Hand-rolled (no third-party deps) using browser-native `DOMParser`. Designed
+ * for the trust model "consumer passes user-generated markdown/HTML to a
+ * react-fancy component" — strips script tags, event handlers, and dangerous
+ * URI schemes from `href`/`src` attributes.
+ *
+ * For server-side rendering (no `window`), `sanitizeHtml` returns the input
+ * unchanged. Consumers SSR-rendering untrusted content should sanitize on the
+ * server with their own pipeline.
+ */
+/**
+ * Validate a URL/href against an allow-list of safe protocols. Returns the
+ * input if safe, or `undefined` if it begins with a dangerous scheme like
+ * `javascript:`, `data:`, or `vbscript:`. Relative URLs and fragment links
+ * are allowed.
+ */
+declare function sanitizeHref(href: string | undefined | null): string | undefined;
+/**
+ * Sanitize an HTML string by removing dangerous tags (script, iframe, etc.),
+ * event-handler attributes (`onclick`, `onerror`, ...), and dangerous URI
+ * schemes in `href`/`src` attributes.
+ *
+ * Uses the browser's `DOMParser`. In non-browser environments returns the
+ * input unchanged — sanitize on the server in those cases.
+ */
+declare function sanitizeHtml(html: string): string;
 declare function useControllableState<T>(controlledValue: T | undefined, defaultValue: T, onChange?: (value: T) => void): [T, (value: T | ((prev: T) => T)) => void];
 declare function useOutsideClick(ref: RefObject<HTMLElement | null>, handler: (event: MouseEvent | TouchEvent) => void, enabled?: boolean, ignoreRef?: RefObject<HTMLElement | null>): void;
@@ -2277,4 +2322,4 @@ declare function useAnimation({ open, enterClass, exitClass, }: UseAnimationOpti
 declare function useId(prefix?: string): string;
-export { Accordion, type AccordionContentProps, type AccordionContextValue, type AccordionItemProps, type AccordionProps, type AccordionTriggerProps, Action, type ActionColor, type ActionProps, type AffixPosition, Autocomplete, type AutocompleteOption, type AutocompleteProps, Avatar, type AvatarProps, Badge, type BadgeProps, Brand, type BrandProps, Breadcrumbs, type BreadcrumbsItemProps, type BreadcrumbsProps, Calendar, type CalendarMode, type CalendarProps, Callout, type CalloutProps, Canvas, type CanvasContextValue, type CanvasControlsProps, type CanvasEdgeProps, type CanvasMinimapProps, type CanvasNodeProps, type CanvasProps, Card, type CardBodyProps, type CardFooterProps, type CardHeaderProps, type CardProps, Carousel, type CarouselContextValue, type CarouselControlsProps, type CarouselPanelsProps, type CarouselProps, type CarouselSlideProps, type CarouselStepsProps, type CarouselVariant, Chart, type ChartAreaProps, type ChartBarData, type ChartBarProps, type ChartCommonProps, type ChartDonutData, type ChartDonutProps, type ChartHorizontalBarProps, type ChartLineProps, type ChartPieData, type ChartPieProps, type ChartSeries, type ChartSparklineProps, type ChartStackedBarProps, Checkbox, CheckboxGroup, type CheckboxGroupProps, type CheckboxProps, type Color, ColorPicker, type ColorPickerProps, Command, type CommandContextValue, type CommandEmptyProps, type CommandGroupProps, type CommandInputProps, type CommandItemProps, type CommandListProps, type CommandProps, Composer, type ComposerProps, ContentRenderer, type ContentRendererProps, ContextMenu, type ContextMenuContentProps, type ContextMenuContextValue, type ContextMenuItemProps, type ContextMenuProps, type ContextMenuSeparatorProps, type ContextMenuTriggerProps, DatePicker, type DatePickerProps, type DateRange, Diagram, type DiagramContextValue, type DiagramEntityData, type DiagramEntityProps, type DiagramFieldData, type DiagramFieldProps, type DiagramProps, type DiagramRelationData, type DiagramRelationProps, type DiagramSchema, type DiagramToolbarProps, type DiagramType, type DropPosition, Dropdown, type DropdownContextValue, type DropdownItemProps, type DropdownItemsProps, type DropdownProps, type DropdownSeparatorProps, type DropdownTriggerProps, EMOJI_CATEGORY_ORDER, EMOJI_DATA, EMOJI_ENTRIES, type EdgeAnchor, Editor, type EditorAction, type EditorContentProps, type EditorContextValue, type EditorProps, type EditorToolbarProps, Emoji, type EmojiCategory, type EmojiCategoryKey, type EmojiEntry, type EmojiFlatEntry, type EmojiProps, EmojiSelect, type EmojiSelectProps, type ExportFormat, Field, type FieldProps, FileUpload, type FileUploadContextValue, type FileUploadDropzoneProps, type FileUploadListProps, type FileUploadProps, Heading, type HeadingProps, Icon, type IconProps, type IconSet, Input, type InputAffixProps, type InputBaseProps, type InputOption, type InputOptionGroup, type InputProps, Kanban, type KanbanCardProps, type KanbanColumnProps, type KanbanContextValue, type KanbanProps, Menu, type MenuContextValue, type MenuGroupProps, type MenuItemProps, type MenuOrientation, type MenuProps, type MenuSubmenuProps, MobileMenu, type MobileMenuBottomBarProps, type MobileMenuContextValue, type MobileMenuFlyoutProps, type MobileMenuItemProps, type MobileMenuSide, type MobileMenuVariant, Modal, type ModalBodyProps, type ModalContextValue, type ModalFooterProps, type ModalHeaderProps, type ModalProps, MultiSwitch, type MultiSwitchProps, Navbar, type NavbarBrandProps, type NavbarContextValue, type NavbarItemProps, type NavbarItemsProps, type NavbarProps, type NavbarToggleProps, type NodeRect, OtpInput, type OtpInputProps, Pagination, type PaginationProps, Pillbox, type PillboxProps, type Placement, Popover, type PopoverContentProps, type PopoverContextValue, type PopoverProps, type PopoverTriggerProps, Portal, type PortalProps, Profile, type ProfileProps, Progress, type ProgressProps, RadioGroup, type RadioGroupProps, type RelationType, type RenderExtension, type RenderExtensionProps, SKIN_TONES, Select, type SelectProps, Separator, type SeparatorProps, Sidebar, type SidebarCollapseMode, type SidebarContextValue, type SidebarGroupProps, type SidebarItemProps, type SidebarProps, type SidebarSubmenuProps, type SidebarToggleProps, type Size, Skeleton, type SkeletonProps, type SkinTone, Slider, type SliderProps, Switch, type SwitchProps, Table, type TableBodyProps, type TableCellProps, type TableColumnProps, type TableHeadProps, type TablePaginationProps, type TableProps, type TableRowProps, type TableRowTrayProps, type TableSearchProps, type TableTrayProps, Tabs, type TabsContextValue, type TabsListProps, type TabsPanelProps, type TabsPanelsProps, type TabsProps, type TabsTabProps, type TabsVariant, Text, type TextProps, Textarea, type TextareaProps, TimePicker, type TimePickerProps, Timeline, type TimelineBlockProps, type TimelineEvent, type TimelineItemProps, type TimelineOrientation, type TimelineProps, type TimelineVariant, Toast, type ToastContextValue, type ToastData, type ToastPosition, type ToastProviderProps, type ToastVariant, Tooltip, type TooltipProps, TreeNav, type TreeNavContextValue, type TreeNavProps, type TreeNodeData, type TreeNodeProps, type Variant, type ViewportState, applyTone, cn, configureIcons, find, hasSkinTones, registerExtension, registerExtensions, registerIconSet, registerIcons, resolve, search, skinTones, useAccordion, useAnimation, useCanvas, useCarousel, useCommand, useContextMenu, useControllableState, useDiagram, useDropdown, useEditor, useEscapeKey, useFileUpload, useFloatingPosition, useFocusTrap, useId, useKanban, useMenu, useMobileMenu, useModal, useNavbar, useNodeRegistry, useOutsideClick, usePanZoom, usePopover, useSidebar, useTabs, useToast, useTreeNav };
+export { Accordion, type AccordionContentProps, type AccordionContextValue, type AccordionItemProps, type AccordionProps, type AccordionTriggerProps, Action, type ActionColor, type ActionProps, type AffixPosition, Autocomplete, type AutocompleteOption, type AutocompleteProps, Avatar, type AvatarProps, Badge, type BadgeProps, Brand, type BrandProps, Breadcrumbs, type BreadcrumbsItemProps, type BreadcrumbsProps, Calendar, type CalendarMode, type CalendarProps, Callout, type CalloutProps, Canvas, type CanvasContextValue, type CanvasControlsProps, type CanvasEdgeProps, type CanvasMinimapProps, type CanvasNodeProps, type CanvasProps, Card, type CardBodyProps, type CardFooterProps, type CardHeaderProps, type CardProps, Carousel, type CarouselContextValue, type CarouselControlsProps, type CarouselPanelsProps, type CarouselProps, type CarouselSlideProps, type CarouselStepsProps, type CarouselVariant, Chart, type ChartAreaProps, type ChartBarData, type ChartBarProps, type ChartCommonProps, type ChartDonutData, type ChartDonutProps, type ChartHorizontalBarProps, type ChartLineProps, type ChartPieData, type ChartPieProps, type ChartSeries, type ChartSparklineProps, type ChartStackedBarProps, Checkbox, CheckboxGroup, type CheckboxGroupProps, type CheckboxProps, type Color, ColorPicker, type ColorPickerProps, Command, type CommandContextValue, type CommandEmptyProps, type CommandGroupProps, type CommandInputProps, type CommandItemProps, type CommandListProps, type CommandProps, Composer, type ComposerProps, ContentRenderer, type ContentRendererProps, ContextMenu, type ContextMenuContentProps, type ContextMenuContextValue, type ContextMenuItemProps, type ContextMenuProps, type ContextMenuSeparatorProps, type ContextMenuTriggerProps, DatePicker, type DatePickerProps, type DateRange, Diagram, type DiagramContextValue, type DiagramEntityData, type DiagramEntityProps, type DiagramFieldData, type DiagramFieldProps, type DiagramProps, type DiagramRelationData, type DiagramRelationProps, type DiagramSchema, type DiagramToolbarProps, type DiagramType, type DropPosition, Dropdown, type DropdownContextValue, type DropdownItemProps, type DropdownItemsProps, type DropdownProps, type DropdownSeparatorProps, type DropdownTriggerProps, EMOJI_CATEGORY_ORDER, EMOJI_DATA, EMOJI_ENTRIES, type EdgeAnchor, Editor, type EditorAction, type EditorContentProps, type EditorContextValue, type EditorProps, type EditorToolbarProps, Emoji, type EmojiCategory, type EmojiCategoryKey, type EmojiEntry, type EmojiFlatEntry, type EmojiProps, EmojiSelect, type EmojiSelectProps, type ExportFormat, Field, type FieldProps, FileUpload, type FileUploadContextValue, type FileUploadDropzoneProps, type FileUploadListProps, type FileUploadProps, Heading, type HeadingProps, Icon, type IconProps, type IconSet, Input, type InputAffixProps, type InputBaseProps, type InputOption, type InputOptionGroup, type InputProps, Kanban, type KanbanCardProps, type KanbanColumnProps, type KanbanContextValue, type KanbanProps, Menu, type MenuContextValue, type MenuGroupProps, type MenuItemProps, type MenuOrientation, type MenuProps, type MenuSubmenuProps, MobileMenu, type MobileMenuBottomBarProps, type MobileMenuContextValue, type MobileMenuFlyoutProps, type MobileMenuItemProps, type MobileMenuSide, type MobileMenuVariant, Modal, type ModalBodyProps, type ModalContextValue, type ModalFooterProps, type ModalHeaderProps, type ModalProps, MultiSwitch, type MultiSwitchProps, Navbar, type NavbarBrandProps, type NavbarContextValue, type NavbarItemProps, type NavbarItemsProps, type NavbarProps, type NavbarToggleProps, type NodeRect, OtpInput, type OtpInputProps, Pagination, type PaginationProps, Pillbox, type PillboxProps, type Placement, Popover, type PopoverContentProps, type PopoverContextValue, type PopoverProps, type PopoverTriggerProps, Portal, type PortalProps, Profile, type ProfileProps, Progress, type ProgressProps, RadioGroup, type RadioGroupProps, type RelationType, type RenderExtension, type RenderExtensionProps, SKIN_TONES, Select, type SelectProps, Separator, type SeparatorProps, Sidebar, type SidebarCollapseMode, type SidebarContextValue, type SidebarGroupProps, type SidebarItemProps, type SidebarProps, type SidebarSubmenuProps, type SidebarToggleProps, type Size, Skeleton, type SkeletonProps, type SkinTone, Slider, type SliderProps, Switch, type SwitchProps, Table, type TableBodyProps, type TableCellProps, type TableColumnProps, type TableHeadProps, type TablePaginationProps, type TableProps, type TableRowProps, type TableRowTrayProps, type TableSearchProps, type TableTrayProps, Tabs, type TabsContextValue, type TabsListProps, type TabsPanelProps, type TabsPanelsProps, type TabsProps, type TabsTabProps, type TabsVariant, Text, type TextProps, Textarea, type TextareaProps, TimePicker, type TimePickerProps, Timeline, type TimelineBlockProps, type TimelineEvent, type TimelineItemProps, type TimelineOrientation, type TimelineProps, type TimelineVariant, Toast, type ToastContextValue, type ToastData, type ToastPosition, type ToastProviderProps, type ToastVariant, Tooltip, type TooltipProps, TreeNav, type TreeNavContextValue, type TreeNavProps, type TreeNodeData, type TreeNodeProps, type Variant, type ViewportState, applyTone, cn, configureIcons, find, hasSkinTones, registerExtension, registerExtensions, registerIconSet, registerIcons, resolve, sanitizeHref, sanitizeHtml, search, skinTones, useAccordion, useAnimation, useCanvas, useCarousel, useCommand, useContextMenu, useControllableState, useDiagram, useDropdown, useEditor, useEscapeKey, useFileUpload, useFloatingPosition, useFocusTrap, useId, useKanban, useMenu, useMobileMenu, useModal, useNavbar, useNodeRegistry, useOutsideClick, usePanZoom, usePopover, useSidebar, useTabs, useToast, useTreeNav };

package/dist/index.js CHANGED Viewed

@@ -12,6 +12,80 @@ function cn(...inputs) {
   return twMerge(clsx(inputs));
 }
+// src/utils/sanitize.ts
+var DANGEROUS_TAGS = /* @__PURE__ */ new Set([
+  "script",
+  "style",
+  "iframe",
+  "object",
+  "embed",
+  "link",
+  "meta",
+  "base",
+  "form"
+]);
+var URL_ATTRS = /* @__PURE__ */ new Set(["href", "src", "action", "formaction", "xlink:href"]);
+var SAFE_PROTOCOL = /^(?:https?:|mailto:|tel:|sms:|ftp:|#|\/|\.\/|\.\.\/|[^:]*$)/i;
+function sanitizeHref(href) {
+  if (href == null) return void 0;
+  const trimmed = href.trim();
+  if (!trimmed) return void 0;
+  return SAFE_PROTOCOL.test(trimmed) ? trimmed : void 0;
+}
+function stripDangerousAttrs(el) {
+  const names = [];
+  for (let i = 0; i < el.attributes.length; i++) {
+    names.push(el.attributes[i].name);
+  }
+  for (const name of names) {
+    const lower = name.toLowerCase();
+    if (lower.startsWith("on")) {
+      el.removeAttribute(name);
+      continue;
+    }
+    if (URL_ATTRS.has(lower)) {
+      const sanitized = sanitizeHref(el.getAttribute(name));
+      if (sanitized === void 0) {
+        el.removeAttribute(name);
+      } else {
+        el.setAttribute(name, sanitized);
+      }
+      continue;
+    }
+    if (lower === "srcdoc") {
+      el.removeAttribute(name);
+    }
+  }
+}
+function walk(el, removeQueue) {
+  const tag = el.tagName.toLowerCase();
+  if (DANGEROUS_TAGS.has(tag)) {
+    removeQueue.push(el);
+    return;
+  }
+  stripDangerousAttrs(el);
+  const children = Array.from(el.children);
+  for (const child of children) {
+    walk(child, removeQueue);
+  }
+}
+function sanitizeHtml(html) {
+  if (typeof window === "undefined" || typeof DOMParser === "undefined") {
+    return html;
+  }
+  const doc = new DOMParser().parseFromString(`<body>${html}</body>`, "text/html");
+  const body = doc.body;
+  if (!body) return html;
+  const removeQueue = [];
+  for (const child of Array.from(body.children)) {
+    walk(child, removeQueue);
+  }
+  for (const el of removeQueue) {
+    el.parentNode?.removeChild(el);
+  }
+  return body.innerHTML;
+}
 // src/data/emoji-data.ts
 var EMOJI_CATEGORY_ORDER = [
   "smileys",
@@ -2411,7 +2485,8 @@ var Action = forwardRef(
       children != null && /* @__PURE__ */ jsx("span", { children }),
       trailingElements
     ] });
-    const buttonEl = href && !disabled ? /* @__PURE__ */ jsx("a", { href, className: classes, "data-react-fancy-action": "", children: content }) : /* @__PURE__ */ jsx(
+    const safeHref = sanitizeHref(href);
+    const buttonEl = safeHref && !disabled ? /* @__PURE__ */ jsx("a", { href: safeHref, className: classes, "data-react-fancy-action": "", children: content }) : /* @__PURE__ */ jsx(
       "button",
       {
         ref,
@@ -10077,13 +10152,15 @@ function mergeExtensions(instanceExtensions) {
   }
   return merged;
 }
-function toHtml(value, outputFormat) {
+function toHtml(value, outputFormat, unsafe) {
   if (!value) return "";
-  if (outputFormat === "html") return value;
-  const format = detectFormat(value);
-  if (format === "html") return value;
-  const result = marked.parse(value, { async: false });
-  return result.trim();
+  const raw = (() => {
+    if (outputFormat === "html") return value;
+    const format = detectFormat(value);
+    if (format === "html") return value;
+    return marked.parse(value, { async: false }).trim();
+  })();
+  return unsafe ? raw : sanitizeHtml(raw);
 }
 function EditorRoot({
   children,
@@ -10094,12 +10171,13 @@ function EditorRoot({
   outputFormat = "html",
   lineSpacing = 1.6,
   placeholder,
-  extensions: instanceExtensions
+  extensions: instanceExtensions,
+  unsafe = false
 }) {
   const contentRef = useRef(null);
   const [, setValue] = useControllableState(controlledValue, defaultValue, onChange);
   const initialHtml = useMemo(
-    () => toHtml(controlledValue ?? defaultValue, outputFormat),
+    () => toHtml(controlledValue ?? defaultValue, outputFormat, unsafe),
     // Only compute once on mount — don't re-run when value changes from user input
     // eslint-disable-next-line react-hooks/exhaustive-deps
     []
@@ -10184,7 +10262,11 @@ var Editor = Object.assign(EditorRoot, {
   Toolbar: ToolbarWithSeparator,
   Content: EditorContent
 });
-function RenderedContent({ html, extensions: instanceExtensions }) {
+function RenderedContent({
+  html,
+  extensions: instanceExtensions,
+  unsafe = false
+}) {
   const extensions = useMemo(
     () => mergeExtensions(instanceExtensions),
     [instanceExtensions]
@@ -10193,15 +10275,16 @@ function RenderedContent({ html, extensions: instanceExtensions }) {
     () => parseSegments(html, extensions),
     [html, extensions]
   );
+  const renderHtml = (content) => unsafe ? content : sanitizeHtml(content);
   if (segments.length === 1 && segments[0].type === "html") {
-    return /* @__PURE__ */ jsx("div", { dangerouslySetInnerHTML: { __html: segments[0].content } });
+    return /* @__PURE__ */ jsx("div", { dangerouslySetInnerHTML: { __html: renderHtml(segments[0].content) } });
   }
   if (segments.length === 0) {
     return null;
   }
   return /* @__PURE__ */ jsx(Fragment, { children: segments.map((segment, i) => {
     if (segment.type === "html") {
-      return segment.content ? /* @__PURE__ */ jsx("div", { dangerouslySetInnerHTML: { __html: segment.content } }, i) : null;
+      return segment.content ? /* @__PURE__ */ jsx("div", { dangerouslySetInnerHTML: { __html: renderHtml(segment.content) } }, i) : null;
     }
     const ext = extensions.find(
       (e) => e.tag.toLowerCase() === segment.tag
@@ -10219,7 +10302,8 @@ function ContentRenderer({
   format = "auto",
   lineSpacing = 1.6,
   className,
-  extensions: instanceExtensions
+  extensions: instanceExtensions,
+  unsafe = false
 }) {
   const extensions = useMemo(
     () => mergeExtensions(instanceExtensions),
@@ -10227,11 +10311,9 @@ function ContentRenderer({
   );
   const html = useMemo(() => {
     const resolvedFormat = format === "auto" ? detectFormat(value) : format;
-    if (resolvedFormat === "markdown") {
-      return marked.parse(value, { async: false });
-    }
-    return value;
-  }, [value, format]);
+    const raw = resolvedFormat === "markdown" ? marked.parse(value, { async: false }) : value;
+    return unsafe ? raw : sanitizeHtml(raw);
+  }, [value, format, unsafe]);
   const hasExtensions = extensions.length > 0;
   return /* @__PURE__ */ jsx(
     "div",
@@ -10239,7 +10321,7 @@ function ContentRenderer({
       "data-react-fancy-content-renderer": "",
       style: { lineHeight: lineSpacing },
       className: cn("text-sm", proseClasses, className),
-      children: hasExtensions ? /* @__PURE__ */ jsx(RenderedContent, { html, extensions }) : /* @__PURE__ */ jsx("div", { dangerouslySetInnerHTML: { __html: html } })
+      children: hasExtensions ? /* @__PURE__ */ jsx(RenderedContent, { html, extensions, unsafe }) : /* @__PURE__ */ jsx("div", { dangerouslySetInnerHTML: { __html: html } })
     }
   );
 }
@@ -12181,6 +12263,6 @@ var TreeNav = Object.assign(TreeNavRoot, {
   Node: TreeNode
 });
-export { Accordion, Action, Autocomplete, Avatar, Badge, Brand, Breadcrumbs, Calendar, Callout, Canvas, Card, Carousel, Chart, Checkbox, CheckboxGroup, ColorPicker, Command, Composer, ContentRenderer, ContextMenu, DatePicker, Diagram, Dropdown, EMOJI_CATEGORY_ORDER, EMOJI_DATA, EMOJI_ENTRIES, Editor, Emoji, EmojiSelect, Field, FileUpload, Heading, Icon, Input, Kanban, Menu2 as Menu, MobileMenu, Modal, MultiSwitch, Navbar, OtpInput, Pagination, Pillbox, Popover, Portal, Profile, Progress, RadioGroup, SKIN_TONES, Select, Separator, Sidebar, Skeleton, Slider, Switch, Table, Tabs, Text, Textarea, TimePicker, Timeline, Toast, Tooltip, TreeNav, applyTone, cn, configureIcons, find, hasSkinTones, registerExtension, registerExtensions, registerIconSet, registerIcons, resolve, search, skinTones, useAccordion, useAnimation, useCanvas, useCarousel, useCommand, useContextMenu, useControllableState, useDiagram, useDropdown, useEditor, useEscapeKey, useFileUpload, useFloatingPosition, useFocusTrap, useId12 as useId, useKanban, useMenu, useMobileMenu, useModal, useNavbar, useNodeRegistry, useOutsideClick, usePanZoom, usePopover, useSidebar, useTabs, useToast, useTreeNav };
+export { Accordion, Action, Autocomplete, Avatar, Badge, Brand, Breadcrumbs, Calendar, Callout, Canvas, Card, Carousel, Chart, Checkbox, CheckboxGroup, ColorPicker, Command, Composer, ContentRenderer, ContextMenu, DatePicker, Diagram, Dropdown, EMOJI_CATEGORY_ORDER, EMOJI_DATA, EMOJI_ENTRIES, Editor, Emoji, EmojiSelect, Field, FileUpload, Heading, Icon, Input, Kanban, Menu2 as Menu, MobileMenu, Modal, MultiSwitch, Navbar, OtpInput, Pagination, Pillbox, Popover, Portal, Profile, Progress, RadioGroup, SKIN_TONES, Select, Separator, Sidebar, Skeleton, Slider, Switch, Table, Tabs, Text, Textarea, TimePicker, Timeline, Toast, Tooltip, TreeNav, applyTone, cn, configureIcons, find, hasSkinTones, registerExtension, registerExtensions, registerIconSet, registerIcons, resolve, sanitizeHref, sanitizeHtml, search, skinTones, useAccordion, useAnimation, useCanvas, useCarousel, useCommand, useContextMenu, useControllableState, useDiagram, useDropdown, useEditor, useEscapeKey, useFileUpload, useFloatingPosition, useFocusTrap, useId12 as useId, useKanban, useMenu, useMobileMenu, useModal, useNavbar, useNodeRegistry, useOutsideClick, usePanZoom, usePopover, useSidebar, useTabs, useToast, useTreeNav };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map