@pixagram/sanitizer 0.2.0

package/README.md

@@ -0,0 +1,282 @@
+# pixa-content
+
+> Secure content processing engine for the PIXA blockchain platform.
+> Rust → WebAssembly module for browser-side rendering of posts, comments, profiles, and metadata.
+
+## Features
+
+| Feature | Description |
+|---------|-------------|
+| **Post Rendering** | Markdown/HTML → sanitized HTML with full formatting |
+| **Comment Rendering** | Stricter subset — no headings, tables, iframes |
+| **@Mentions** | `@username` → `<a href="/@username">` with validation |
+| **#Hashtags** | `#tag` → `<a href="/trending/tag">` |
+| **Image Extraction** | Returns image list; render with/without images |
+| **Base64 Images** | Validates `data:image/*` URIs, blocks dangerous MIME types |
+| **External Links** | Marks external links with `data-*` attrs for React dialog |
+| **JSON Sanitizer** | `safeJson` — sanitizes any JSON tree (keys, strings, base64) |
+| **Biography** | HTML → plain text sanitization |
+| **Username** | HIVE-compatible validation (3-16 chars, a-z0-9.-) |
+| **Metadata** | `parseMetadata` — safeJson + known-field extraction |
+| **Plain Text** | Strip all formatting, return clean text |
+| **Summarization** | TF-IDF extractive summarization |
+| **XSS Protection** | Whitelist-based sanitization via ammonia |
+
+## Security Model
+
+- **Whitelist-based HTML sanitization** via `ammonia` — only approved tags and attributes pass through
+- **No script execution** — `<script>`, event handlers (`onclick`, `onerror`, etc.), and `javascript:` URIs are all blocked
+- **SVG safety** — Base64 SVGs are decoded and checked for embedded scripts
+- **Link isolation** — External links get `rel="noopener noreferrer"` and `target="_blank"`
+- **Input limits** — Maximum body length, image size, nesting depth, and URL length enforced
+- **Username validation** — Strict HIVE-compatible rules prevent injection via mention links
+- **JSON sanitization** — Every key validated, every string HTML-stripped, embedded JSON-in-strings rejected, dangerous URI schemes blocked, base64 images validated
+
+## Build
+
+### Prerequisites
+
+```bash
+# Rust toolchain
+curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
+rustup target add wasm32-unknown-unknown
+
+# wasm-pack
+cargo install wasm-pack
+
+# Optional: binaryen for extra ~20-30% size reduction
+npm install -g binaryen
+```
+
+### Build Commands
+
+```bash
+# Standard release build (optimized for size)
+./scripts/build.sh release
+
+# Smaller build with wee_alloc (trades speed for ~20KB less)
+./scripts/build.sh release-small
+
+# Dev build (fast compile, no optimization)
+./scripts/build.sh dev
+
+# For bundlers (webpack, vite, rollup)
+./scripts/build.sh bundler
+
+# Run all tests
+./scripts/build.sh test
+```
+
+### Expected Output Size
+
+| Build | Raw WASM | + wasm-opt | Gzip |
+|-------|----------|------------|------|
+| `release` | ~800KB-1.2MB | ~600KB-900KB | ~250KB-350KB |
+| `release-small` | ~750KB-1.1MB | ~550KB-850KB | ~220KB-320KB |
+
+> **Why not smaller?** The bulk comes from `ammonia` (HTML sanitizer using `html5ever` parser) and `regex`. These are essential for security. The gzipped transfer size is what matters for users — and **250-350KB gzipped is reasonable** for a full content engine replacing multiple JavaScript libraries.
+
+## Usage
+
+### JavaScript / React
+
+```javascript
+import { PixaContent } from './pixa-content.js';
+
+// Initialize once
+const pixa = await PixaContent.init('./pixa_content.js');
+
+// ── Render a post ──────────────────────────────
+const result = pixa.sanitizePost(postBody, {
+  max_image_count: 0,        // 0 = unlimited
+  internal_domains: ['pixa.pics', 'custom-domain.com'],
+});
+
+console.log(result.html);    // Sanitized HTML
+console.log(result.images);  // [{ src, alt, is_base64, index }]
+console.log(result.links);   // [{ href, text, domain, is_external }]
+
+// ── Render a comment ───────────────────────────
+const comment = pixa.sanitizeComment(commentBody);
+
+// ── Render a memo ──────────────────────────────
+const memo = pixa.sanitizeMemo(memoBody);
+
+// ── Sanitize any JSON (the main entry point) ───
+const safe = pixa.safeJson(rawJsonString);
+// Every key validated, every string HTML-stripped,
+// embedded JSON rejected, base64 images preserved.
+
+// ── Sanitize a single string ───────────────────
+const title = pixa.safeString(rawTitle);         // '' if unsafe
+const category = pixa.safeString(rawCategory);
+
+// ── Parse metadata (convenience wrapper) ───────
+const meta = pixa.parseMetadata(jsonMetadataString);
+console.log(meta.profile);   // Sanitized JSON object (whatever was in source)
+console.log(meta.tags);      // ['tag1', 'tag2']
+console.log(meta.image);     // ['https://...']
+console.log(meta.app);       // 'peakd/2024.10.11'
+console.log(meta.extra);     // Any unknown fields (already sanitized)
+
+// ── Extract plain text ─────────────────────────
+const text = pixa.extractPlainText(postBody);
+
+// ── Summarize ──────────────────────────────────
+const summary = pixa.summarizeContent(postBody, 3);
+console.log(summary.summary);     // Top 3 sentences joined
+console.log(summary.keywords);    // Top keywords with scores
+console.log(summary.sentences);   // Scored sentences with positions
+
+// ── Sanitize profile data ──────────────────────
+const bio = pixa.sanitizeBiography(rawBio, 256);  // max 256 chars
+const name = pixa.sanitizeUsername(rawUsername);     // '' if invalid
+```
+
+### External Link Dialog (React)
+
+```jsx
+import { ExternalLinkDialog } from './ExternalLinkDialog';
+
+function PostContent({ html }) {
+  return (
+    <ExternalLinkDialog
+      onNavigate={(href, domain) => {
+        console.log('User navigated to:', domain);
+      }}
+    >
+      <div dangerouslySetInnerHTML={{ __html: html }} />
+    </ExternalLinkDialog>
+  );
+}
+```
+
+Or with a custom dialog:
+
+```jsx
+<ExternalLinkDialog
+  renderDialog={({ href, domain, onConfirm, onCancel }) => (
+    <YourCustomModal
+      title={`Leave Pixa?`}
+      message={`Navigate to ${domain}?`}
+      onYes={onConfirm}
+      onNo={onCancel}
+    />
+  )}
+>
+  <div dangerouslySetInnerHTML={{ __html: html }} />
+</ExternalLinkDialog>
+```
+
+### Using from Rust (Non-WASM)
+
+```rust
+use pixa_content::{extract_plain_text, sanitize_biography, sanitize_username};
+use pixa_content::sanitizer::{sanitize_post, safe_json, SanitizeOptions};
+
+// Sanitize a post
+let opts = SanitizeOptions::default();
+let result = sanitize_post("# Hello @world\n\nCheck #pixelart!", &opts);
+println!("HTML: {}", result.html);
+println!("Images: {:?}", result.images);
+println!("Links: {:?}", result.links);
+
+// Sanitize any JSON metadata
+let clean = safe_json(r#"{"tags":["art"],"profile":{"name":"Alice"}}"#).unwrap();
+```
+
+## Architecture
+
+```
+pixa-content/
+├── Cargo.toml              # Dependencies & WASM optimization config
+├── src/
+│   ├── lib.rs              # Public API & WASM bindings
+│   ├── types.rs            # Shared types (ImageInfo, LinkInfo, ParsedMetadata, etc.)
+│   ├── sanitizer.rs        # ammonia-based HTML sanitization + safe_json/safe_string/safe_key
+│   ├── mentions.rs         # @mention and #hashtag processing
+│   ├── images.rs           # Image extraction, base64 validation
+│   ├── links.rs            # External link detection & wrapping
+│   ├── text.rs             # Plain text extraction, sentence splitting
+│   ├── summarizer.rs       # TF-IDF extractive summarization
+│   └── metadata.rs         # JSON metadata parsing (thin wrapper over safe_json)
+├── tests/
+│   └── integration.rs      # Full pipeline integration tests
+├── js/
+│   ├── pixa-content.js     # JS wrapper API
+│   └── ExternalLinkDialog.jsx  # React external link component
+├── scripts/
+│   └── build.sh            # Build & optimization script
+└── README.md
+```
+
+## Processing Pipeline
+
+```
+Input (Markdown or HTML)
+    │
+    ├──► Detect format (is_predominantly_html)
+    │
+    ├──► If Markdown: pulldown-cmark → HTML
+    │
+    ├──► Extract images (before sanitization)
+    │
+    ├──► Process @mentions and #hashtags
+    │    (text nodes only, not inside existing links)
+    │
+    ├──► Sanitize HTML (ammonia whitelist)
+    │    ├── Post: full formatting
+    │    ├── Comment: restricted subset
+    │    └── Memo: inline only
+    │
+    ├──► Process links (internal vs external)
+    │    └── External: add data-* attrs for React
+    │
+    ├──► Optionally strip/limit images
+    │
+    └──► Return { html, images, links }
+```
+
+## JSON Sanitization Pipeline
+
+```
+Input (raw JSON string)
+    │
+    ├──► Parse JSON
+    │
+    ├──► Walk tree recursively:
+    │    ├── Keys:    safe_key  → validate identifier format, drop bad keys
+    │    ├── Strings: safe_string →
+    │    │    ├── Reject embedded JSON-in-strings
+    │    │    ├── data:image/* → validate base64, pass through
+    │    │    ├── URLs → strip control chars (preserve & in query strings)
+    │    │    ├── Text → strip ALL HTML via ammonia, reject dangerous schemes
+    │    │    └── Enforce length limits
+    │    ├── Numbers: pass through (must be finite)
+    │    ├── Arrays:  recurse (max 100 elements)
+    │    └── Objects: recurse (max 50 keys, max depth 5)
+    │
+    └──► Return sanitized JSON value
+```
+
+## Metadata Flexibility
+
+`parseMetadata` calls `safeJson` first, then extracts known fields for convenience:
+
+```json
+{
+  "profile": { "name": "...", "about": "...", "profile_image": "..." },
+  "tags": ["tag1", "tag2"],
+  "app": "peakd/2024.10.11",
+  "format": "markdown",
+  "pixa_nft_id": "preserved-in-extra",
+  "custom_field": { "also": "preserved" }
+}
+```
+
+All fields are sanitized by `safeJson` before extraction. Unknown fields land in `extra`.
+For full control, use `safeJson` directly — it handles any JSON structure.
+
+## License
+
+Proprietary — Pixagram SA. All rights reserved.

package/package.json

@@ -0,0 +1,24 @@
+{
+  "name": "@pixagram/sanitizer",
+  "type": "module",
+  "collaborators": [
+    "Pixagram SA"
+  ],
+  "description": "Secure content processing for PIXA blockchain — Markdown/HTML rendering, sanitization, metadata parsing, summarization",
+  "version": "0.2.0",
+  "license": "PROPRIETARY",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/nicmusic/pixa-content"
+  },
+  "files": [
+    "pixa_content_bg.wasm",
+    "pixa_content.js",
+    "pixa_content.d.ts"
+  ],
+  "main": "pixa_content.js",
+  "types": "pixa_content.d.ts",
+  "sideEffects": [
+    "./snippets/*"
+  ]
+}

package/pixa_content.d.ts

@@ -0,0 +1,108 @@
+/* tslint:disable */
+/* eslint-disable */
+
+/**
+ * Extract plain text from content.
+ */
+export function extractPlainText(body: string): string;
+
+/**
+ * Parse and sanitize JSON metadata.
+ * Internally calls safe_json then extracts known fields.
+ */
+export function parseMetadata(json_str: string): any;
+
+export function pixaContentInit(): void;
+
+/**
+ * Sanitize a JSON string. Every key validated, every string HTML-stripped,
+ * embedded JSON-in-strings rejected, base64 images allowed if valid.
+ *
+ * This is the single entry point for ALL metadata sanitization.
+ */
+export function safeJson(json_str: string): any;
+
+/**
+ * Sanitize a single string value. Strips HTML, rejects embedded JSON,
+ * rejects dangerous URI schemes, allows validated base64 images.
+ *
+ * Used by JS pipeline for title, category, and other text fields.
+ */
+export function safeString(s: string, max_len: number): string | undefined;
+
+/**
+ * Sanitize a user biography — returns plain text only (no HTML).
+ */
+export function sanitizeBiography(bio: string, max_length: number): string;
+
+/**
+ * Sanitize a comment body.
+ * Everything in memo + lists, blockquotes, code, links.
+ * No images, no headings, no tables.
+ */
+export function sanitizeComment(body: string, options_json: string): any;
+
+/**
+ * Sanitize a transaction memo.
+ * Bold, italic, @mentions, #hashtags. No images, no lists, no blocks.
+ */
+export function sanitizeMemo(body: string, options_json: string): any;
+
+/**
+ * Sanitize a post body. Full markdown → HTML.
+ * Returns sanitized HTML + extracted images (including base64) + links.
+ */
+export function sanitizePost(body: string, options_json: string): any;
+
+/**
+ * Sanitize a username — alphanumeric, dots, hyphens only.
+ */
+export function sanitizeUsername(username: string): string;
+
+/**
+ * TF-IDF summarization.
+ */
+export function summarizeContent(body: string, sentence_count: number): any;
+
+export type InitInput = RequestInfo | URL | Response | BufferSource | WebAssembly.Module;
+
+export interface InitOutput {
+    readonly memory: WebAssembly.Memory;
+    readonly pixaContentInit: () => void;
+    readonly sanitizeMemo: (a: number, b: number, c: number, d: number, e: number) => void;
+    readonly sanitizeComment: (a: number, b: number, c: number, d: number, e: number) => void;
+    readonly sanitizePost: (a: number, b: number, c: number, d: number, e: number) => void;
+    readonly safeJson: (a: number, b: number, c: number) => void;
+    readonly safeString: (a: number, b: number, c: number, d: number) => void;
+    readonly sanitizeBiography: (a: number, b: number, c: number, d: number) => void;
+    readonly sanitizeUsername: (a: number, b: number, c: number) => void;
+    readonly extractPlainText: (a: number, b: number, c: number) => void;
+    readonly summarizeContent: (a: number, b: number, c: number, d: number) => void;
+    readonly parseMetadata: (a: number, b: number, c: number) => void;
+    readonly __wbindgen_export: (a: number, b: number) => number;
+    readonly __wbindgen_export2: (a: number, b: number, c: number, d: number) => number;
+    readonly __wbindgen_export3: (a: number, b: number, c: number) => void;
+    readonly __wbindgen_add_to_stack_pointer: (a: number) => number;
+}
+
+export type SyncInitInput = BufferSource | WebAssembly.Module;
+
+/**
+ * Instantiates the given `module`, which can either be bytes or
+ * a precompiled `WebAssembly.Module`.
+ *
+ * @param {{ module: SyncInitInput }} module - Passing `SyncInitInput` directly is deprecated.
+ *
+ * @returns {InitOutput}
+ */
+export function initSync(module: { module: SyncInitInput } | SyncInitInput): InitOutput;
+
+/**
+ * If `module_or_path` is {RequestInfo} or {URL}, makes a request and
+ * for everything else, calls `WebAssembly.instantiate` directly.
+ *
+ * @param {{ module_or_path: InitInput | Promise<InitInput> }} module_or_path - Passing `InitInput` directly is deprecated.
+ *
+ * @returns {Promise<InitOutput>}
+ */
+export default function __wbg_init (module_or_path?: { module_or_path: InitInput | Promise<InitInput> } | InitInput | Promise<InitInput>): Promise<InitOutput>;

package/pixa_content.js

@@ -0,0 +1,568 @@
+/* @ts-self-types="./pixa_content.d.ts" */
+
+/**
+ * Extract plain text from content.
+ * @param {string} body
+ * @returns {string}
+ */
+export function extractPlainText(body) {
+    let deferred2_0;
+    let deferred2_1;
+    try {
+        const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
+        const ptr0 = passStringToWasm0(body, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len0 = WASM_VECTOR_LEN;
+        wasm.extractPlainText(retptr, ptr0, len0);
+        var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
+        var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
+        deferred2_0 = r0;
+        deferred2_1 = r1;
+        return getStringFromWasm0(r0, r1);
+    } finally {
+        wasm.__wbindgen_add_to_stack_pointer(16);
+        wasm.__wbindgen_export3(deferred2_0, deferred2_1, 1);
+    }
+}
+
+/**
+ * Parse and sanitize JSON metadata.
+ * Internally calls safe_json then extracts known fields.
+ * @param {string} json_str
+ * @returns {any}
+ */
+export function parseMetadata(json_str) {
+    try {
+        const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
+        const ptr0 = passStringToWasm0(json_str, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len0 = WASM_VECTOR_LEN;
+        wasm.parseMetadata(retptr, ptr0, len0);
+        var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
+        var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
+        var r2 = getDataViewMemory0().getInt32(retptr + 4 * 2, true);
+        if (r2) {
+            throw takeObject(r1);
+        }
+        return takeObject(r0);
+    } finally {
+        wasm.__wbindgen_add_to_stack_pointer(16);
+    }
+}
+
+export function pixaContentInit() {
+    wasm.pixaContentInit();
+}
+
+/**
+ * Sanitize a JSON string. Every key validated, every string HTML-stripped,
+ * embedded JSON-in-strings rejected, base64 images allowed if valid.
+ *
+ * This is the single entry point for ALL metadata sanitization.
+ * @param {string} json_str
+ * @returns {any}
+ */
+export function safeJson(json_str) {
+    try {
+        const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
+        const ptr0 = passStringToWasm0(json_str, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len0 = WASM_VECTOR_LEN;
+        wasm.safeJson(retptr, ptr0, len0);
+        var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
+        var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
+        var r2 = getDataViewMemory0().getInt32(retptr + 4 * 2, true);
+        if (r2) {
+            throw takeObject(r1);
+        }
+        return takeObject(r0);
+    } finally {
+        wasm.__wbindgen_add_to_stack_pointer(16);
+    }
+}
+
+/**
+ * Sanitize a single string value. Strips HTML, rejects embedded JSON,
+ * rejects dangerous URI schemes, allows validated base64 images.
+ *
+ * Used by JS pipeline for title, category, and other text fields.
+ * @param {string} s
+ * @param {number} max_len
+ * @returns {string | undefined}
+ */
+export function safeString(s, max_len) {
+    try {
+        const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
+        const ptr0 = passStringToWasm0(s, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len0 = WASM_VECTOR_LEN;
+        wasm.safeString(retptr, ptr0, len0, max_len);
+        var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
+        var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
+        let v2;
+        if (r0 !== 0) {
+            v2 = getStringFromWasm0(r0, r1).slice();
+            wasm.__wbindgen_export3(r0, r1 * 1, 1);
+        }
+        return v2;
+    } finally {
+        wasm.__wbindgen_add_to_stack_pointer(16);
+    }
+}
+
+/**
+ * Sanitize a user biography — returns plain text only (no HTML).
+ * @param {string} bio
+ * @param {number} max_length
+ * @returns {string}
+ */
+export function sanitizeBiography(bio, max_length) {
+    let deferred2_0;
+    let deferred2_1;
+    try {
+        const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
+        const ptr0 = passStringToWasm0(bio, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len0 = WASM_VECTOR_LEN;
+        wasm.sanitizeBiography(retptr, ptr0, len0, max_length);
+        var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
+        var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
+        deferred2_0 = r0;
+        deferred2_1 = r1;
+        return getStringFromWasm0(r0, r1);
+    } finally {
+        wasm.__wbindgen_add_to_stack_pointer(16);
+        wasm.__wbindgen_export3(deferred2_0, deferred2_1, 1);
+    }
+}
+
+/**
+ * Sanitize a comment body.
+ * Everything in memo + lists, blockquotes, code, links.
+ * No images, no headings, no tables.
+ * @param {string} body
+ * @param {string} options_json
+ * @returns {any}
+ */
+export function sanitizeComment(body, options_json) {
+    try {
+        const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
+        const ptr0 = passStringToWasm0(body, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len0 = WASM_VECTOR_LEN;
+        const ptr1 = passStringToWasm0(options_json, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len1 = WASM_VECTOR_LEN;
+        wasm.sanitizeComment(retptr, ptr0, len0, ptr1, len1);
+        var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
+        var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
+        var r2 = getDataViewMemory0().getInt32(retptr + 4 * 2, true);
+        if (r2) {
+            throw takeObject(r1);
+        }
+        return takeObject(r0);
+    } finally {
+        wasm.__wbindgen_add_to_stack_pointer(16);
+    }
+}
+
+/**
+ * Sanitize a transaction memo.
+ * Bold, italic, @mentions, #hashtags. No images, no lists, no blocks.
+ * @param {string} body
+ * @param {string} options_json
+ * @returns {any}
+ */
+export function sanitizeMemo(body, options_json) {
+    try {
+        const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
+        const ptr0 = passStringToWasm0(body, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len0 = WASM_VECTOR_LEN;
+        const ptr1 = passStringToWasm0(options_json, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len1 = WASM_VECTOR_LEN;
+        wasm.sanitizeMemo(retptr, ptr0, len0, ptr1, len1);
+        var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
+        var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
+        var r2 = getDataViewMemory0().getInt32(retptr + 4 * 2, true);
+        if (r2) {
+            throw takeObject(r1);
+        }
+        return takeObject(r0);
+    } finally {
+        wasm.__wbindgen_add_to_stack_pointer(16);
+    }
+}
+
+/**
+ * Sanitize a post body. Full markdown → HTML.
+ * Returns sanitized HTML + extracted images (including base64) + links.
+ * @param {string} body
+ * @param {string} options_json
+ * @returns {any}
+ */
+export function sanitizePost(body, options_json) {
+    try {
+        const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
+        const ptr0 = passStringToWasm0(body, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len0 = WASM_VECTOR_LEN;
+        const ptr1 = passStringToWasm0(options_json, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len1 = WASM_VECTOR_LEN;
+        wasm.sanitizePost(retptr, ptr0, len0, ptr1, len1);
+        var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
+        var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
+        var r2 = getDataViewMemory0().getInt32(retptr + 4 * 2, true);
+        if (r2) {
+            throw takeObject(r1);
+        }
+        return takeObject(r0);
+    } finally {
+        wasm.__wbindgen_add_to_stack_pointer(16);
+    }
+}
+
+/**
+ * Sanitize a username — alphanumeric, dots, hyphens only.
+ * @param {string} username
+ * @returns {string}
+ */
+export function sanitizeUsername(username) {
+    let deferred2_0;
+    let deferred2_1;
+    try {
+        const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
+        const ptr0 = passStringToWasm0(username, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len0 = WASM_VECTOR_LEN;
+        wasm.sanitizeUsername(retptr, ptr0, len0);
+        var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
+        var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
+        deferred2_0 = r0;
+        deferred2_1 = r1;
+        return getStringFromWasm0(r0, r1);
+    } finally {
+        wasm.__wbindgen_add_to_stack_pointer(16);
+        wasm.__wbindgen_export3(deferred2_0, deferred2_1, 1);
+    }
+}
+
+/**
+ * TF-IDF summarization.
+ * @param {string} body
+ * @param {number} sentence_count
+ * @returns {any}
+ */
+export function summarizeContent(body, sentence_count) {
+    try {
+        const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
+        const ptr0 = passStringToWasm0(body, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len0 = WASM_VECTOR_LEN;
+        wasm.summarizeContent(retptr, ptr0, len0, sentence_count);
+        var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
+        var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
+        var r2 = getDataViewMemory0().getInt32(retptr + 4 * 2, true);
+        if (r2) {
+            throw takeObject(r1);
+        }
+        return takeObject(r0);
+    } finally {
+        wasm.__wbindgen_add_to_stack_pointer(16);
+    }
+}
+
+function __wbg_get_imports() {
+    const import0 = {
+        __proto__: null,
+        __wbg_Error_8c4e43fe74559d73: function(arg0, arg1) {
+            const ret = Error(getStringFromWasm0(arg0, arg1));
+            return addHeapObject(ret);
+        },
+        __wbg_String_8f0eb39a4a4c2f66: function(arg0, arg1) {
+            const ret = String(getObject(arg1));
+            const ptr1 = passStringToWasm0(ret, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+            const len1 = WASM_VECTOR_LEN;
+            getDataViewMemory0().setInt32(arg0 + 4 * 1, len1, true);
+            getDataViewMemory0().setInt32(arg0 + 4 * 0, ptr1, true);
+        },
+        __wbg___wbindgen_is_string_cd444516edc5b180: function(arg0) {
+            const ret = typeof(getObject(arg0)) === 'string';
+            return ret;
+        },
+        __wbg___wbindgen_throw_be289d5034ed271b: function(arg0, arg1) {
+            throw new Error(getStringFromWasm0(arg0, arg1));
+        },
+        __wbg_error_7534b8e9a36f1ab4: function(arg0, arg1) {
+            let deferred0_0;
+            let deferred0_1;
+            try {
+                deferred0_0 = arg0;
+                deferred0_1 = arg1;
+                console.error(getStringFromWasm0(arg0, arg1));
+            } finally {
+                wasm.__wbindgen_export3(deferred0_0, deferred0_1, 1);
+            }
+        },
+        __wbg_new_361308b2356cecd0: function() {
+            const ret = new Object();
+            return addHeapObject(ret);
+        },
+        __wbg_new_3eb36ae241fe6f44: function() {
+            const ret = new Array();
+            return addHeapObject(ret);
+        },
+        __wbg_new_8a6f238a6ece86ea: function() {
+            const ret = new Error();
+            return addHeapObject(ret);
+        },
+        __wbg_new_dca287b076112a51: function() {
+            const ret = new Map();
+            return addHeapObject(ret);
+        },
+        __wbg_set_1eb0999cf5d27fc8: function(arg0, arg1, arg2) {
+            const ret = getObject(arg0).set(getObject(arg1), getObject(arg2));
+            return addHeapObject(ret);
+        },
+        __wbg_set_3f1d0b984ed272ed: function(arg0, arg1, arg2) {
+            getObject(arg0)[takeObject(arg1)] = takeObject(arg2);
+        },
+        __wbg_set_f43e577aea94465b: function(arg0, arg1, arg2) {
+            getObject(arg0)[arg1 >>> 0] = takeObject(arg2);
+        },
+        __wbg_stack_0ed75d68575b0f3c: function(arg0, arg1) {
+            const ret = getObject(arg1).stack;
+            const ptr1 = passStringToWasm0(ret, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+            const len1 = WASM_VECTOR_LEN;
+            getDataViewMemory0().setInt32(arg0 + 4 * 1, len1, true);
+            getDataViewMemory0().setInt32(arg0 + 4 * 0, ptr1, true);
+        },
+        __wbindgen_cast_0000000000000001: function(arg0) {
+            // Cast intrinsic for `F64 -> Externref`.
+            const ret = arg0;
+            return addHeapObject(ret);
+        },
+        __wbindgen_cast_0000000000000002: function(arg0) {
+            // Cast intrinsic for `I64 -> Externref`.
+            const ret = arg0;
+            return addHeapObject(ret);
+        },
+        __wbindgen_cast_0000000000000003: function(arg0, arg1) {
+            // Cast intrinsic for `Ref(String) -> Externref`.
+            const ret = getStringFromWasm0(arg0, arg1);
+            return addHeapObject(ret);
+        },
+        __wbindgen_cast_0000000000000004: function(arg0) {
+            // Cast intrinsic for `U64 -> Externref`.
+            const ret = BigInt.asUintN(64, arg0);
+            return addHeapObject(ret);
+        },
+        __wbindgen_object_clone_ref: function(arg0) {
+            const ret = getObject(arg0);
+            return addHeapObject(ret);
+        },
+        __wbindgen_object_drop_ref: function(arg0) {
+            takeObject(arg0);
+        },
+    };
+    return {
+        __proto__: null,
+        "./pixa_content_bg.js": import0,
+    };
+}
+
+function addHeapObject(obj) {
+    if (heap_next === heap.length) heap.push(heap.length + 1);
+    const idx = heap_next;
+    heap_next = heap[idx];
+
+    heap[idx] = obj;
+    return idx;
+}
+
+function dropObject(idx) {
+    if (idx < 132) return;
+    heap[idx] = heap_next;
+    heap_next = idx;
+}
+
+let cachedDataViewMemory0 = null;
+function getDataViewMemory0() {
+    if (cachedDataViewMemory0 === null || cachedDataViewMemory0.buffer.detached === true || (cachedDataViewMemory0.buffer.detached === undefined && cachedDataViewMemory0.buffer !== wasm.memory.buffer)) {
+        cachedDataViewMemory0 = new DataView(wasm.memory.buffer);
+    }
+    return cachedDataViewMemory0;
+}
+
+function getStringFromWasm0(ptr, len) {
+    ptr = ptr >>> 0;
+    return decodeText(ptr, len);
+}
+
+let cachedUint8ArrayMemory0 = null;
+function getUint8ArrayMemory0() {
+    if (cachedUint8ArrayMemory0 === null || cachedUint8ArrayMemory0.byteLength === 0) {
+        cachedUint8ArrayMemory0 = new Uint8Array(wasm.memory.buffer);
+    }
+    return cachedUint8ArrayMemory0;
+}
+
+function getObject(idx) { return heap[idx]; }
+
+let heap = new Array(128).fill(undefined);
+heap.push(undefined, null, true, false);
+
+let heap_next = heap.length;
+
+function passStringToWasm0(arg, malloc, realloc) {
+    if (realloc === undefined) {
+        const buf = cachedTextEncoder.encode(arg);
+        const ptr = malloc(buf.length, 1) >>> 0;
+        getUint8ArrayMemory0().subarray(ptr, ptr + buf.length).set(buf);
+        WASM_VECTOR_LEN = buf.length;
+        return ptr;
+    }
+
+    let len = arg.length;
+    let ptr = malloc(len, 1) >>> 0;
+
+    const mem = getUint8ArrayMemory0();
+
+    let offset = 0;
+
+    for (; offset < len; offset++) {
+        const code = arg.charCodeAt(offset);
+        if (code > 0x7F) break;
+        mem[ptr + offset] = code;
+    }
+    if (offset !== len) {
+        if (offset !== 0) {
+            arg = arg.slice(offset);
+        }
+        ptr = realloc(ptr, len, len = offset + arg.length * 3, 1) >>> 0;
+        const view = getUint8ArrayMemory0().subarray(ptr + offset, ptr + len);
+        const ret = cachedTextEncoder.encodeInto(arg, view);
+
+        offset += ret.written;
+        ptr = realloc(ptr, len, offset, 1) >>> 0;
+    }
+
+    WASM_VECTOR_LEN = offset;
+    return ptr;
+}
+
+function takeObject(idx) {
+    const ret = getObject(idx);
+    dropObject(idx);
+    return ret;
+}
+
+let cachedTextDecoder = new TextDecoder('utf-8', { ignoreBOM: true, fatal: true });
+cachedTextDecoder.decode();
+const MAX_SAFARI_DECODE_BYTES = 2146435072;
+let numBytesDecoded = 0;
+function decodeText(ptr, len) {
+    numBytesDecoded += len;
+    if (numBytesDecoded >= MAX_SAFARI_DECODE_BYTES) {
+        cachedTextDecoder = new TextDecoder('utf-8', { ignoreBOM: true, fatal: true });
+        cachedTextDecoder.decode();
+        numBytesDecoded = len;
+    }
+    return cachedTextDecoder.decode(getUint8ArrayMemory0().subarray(ptr, ptr + len));
+}
+
+const cachedTextEncoder = new TextEncoder();
+
+if (!('encodeInto' in cachedTextEncoder)) {
+    cachedTextEncoder.encodeInto = function (arg, view) {
+        const buf = cachedTextEncoder.encode(arg);
+        view.set(buf);
+        return {
+            read: arg.length,
+            written: buf.length
+        };
+    };
+}
+
+let WASM_VECTOR_LEN = 0;
+
+let wasmModule, wasm;
+function __wbg_finalize_init(instance, module) {
+    wasm = instance.exports;
+    wasmModule = module;
+    cachedDataViewMemory0 = null;
+    cachedUint8ArrayMemory0 = null;
+    return wasm;
+}
+
+async function __wbg_load(module, imports) {
+    if (typeof Response === 'function' && module instanceof Response) {
+        if (typeof WebAssembly.instantiateStreaming === 'function') {
+            try {
+                return await WebAssembly.instantiateStreaming(module, imports);
+            } catch (e) {
+                const validResponse = module.ok && expectedResponseType(module.type);
+
+                if (validResponse && module.headers.get('Content-Type') !== 'application/wasm') {
+                    console.warn("`WebAssembly.instantiateStreaming` failed because your server does not serve Wasm with `application/wasm` MIME type. Falling back to `WebAssembly.instantiate` which is slower. Original error:\n", e);
+
+                } else { throw e; }
+            }
+        }
+
+        const bytes = await module.arrayBuffer();
+        return await WebAssembly.instantiate(bytes, imports);
+    } else {
+        const instance = await WebAssembly.instantiate(module, imports);
+
+        if (instance instanceof WebAssembly.Instance) {
+            return { instance, module };
+        } else {
+            return instance;
+        }
+    }
+
+    function expectedResponseType(type) {
+        switch (type) {
+            case 'basic': case 'cors': case 'default': return true;
+        }
+        return false;
+    }
+}
+
+function initSync(module) {
+    if (wasm !== undefined) return wasm;
+
+
+    if (module !== undefined) {
+        if (Object.getPrototypeOf(module) === Object.prototype) {
+            ({module} = module)
+        } else {
+            console.warn('using deprecated parameters for `initSync()`; pass a single object instead')
+        }
+    }
+
+    const imports = __wbg_get_imports();
+    if (!(module instanceof WebAssembly.Module)) {
+        module = new WebAssembly.Module(module);
+    }
+    const instance = new WebAssembly.Instance(module, imports);
+    return __wbg_finalize_init(instance, module);
+}
+
+async function __wbg_init(module_or_path) {
+    if (wasm !== undefined) return wasm;
+
+
+    if (module_or_path !== undefined) {
+        if (Object.getPrototypeOf(module_or_path) === Object.prototype) {
+            ({module_or_path} = module_or_path)
+        } else {
+            console.warn('using deprecated parameters for the initialization function; pass a single object instead')
+        }
+    }
+
+    if (module_or_path === undefined) {
+        module_or_path = new URL('pixa_content_bg.wasm', import.meta.url);
+    }
+    const imports = __wbg_get_imports();
+
+    if (typeof module_or_path === 'string' || (typeof Request === 'function' && module_or_path instanceof Request) || (typeof URL === 'function' && module_or_path instanceof URL)) {
+        module_or_path = fetch(module_or_path);
+    }
+
+    const { instance, module } = await __wbg_load(await module_or_path, imports);
+
+    return __wbg_finalize_init(instance, module);
+}
+
+export { initSync, __wbg_init as default };