@primitivedotdev/sdk 1.0.0 → 1.0.1

package/dist/parser/index.js

@@ -3,7 +3,7 @@ import { createHash } from "node:crypto";
 import { createGzip } from "node:zlib";
 import { pack } from "tar-stream";
 import { simpleParser } from "mailparser";
-import DOMPurify from "isomorphic-dompurify";
+import sanitizeHtmlLib from "sanitize-html";
 //#region src/parser/attachment-bundler.ts
 function appendTarEntry(archive, name, content) {
 	return new Promise((resolve, reject) => {
@@ -171,7 +171,6 @@ const ALLOWED_ATTRS = [
 	"lang",
 	"href",
 	"title",
-	"target",
 	"rel",
 	"src",
 	"alt",
@@ -190,44 +189,53 @@ const ALLOWED_ATTRS = [
 	"size",
 	"face"
 ];
-const ALLOWED_URI_REGEXP = /^(https?:|data:image\/(?!svg\+xml)[a-z0-9][a-z0-9+.-]*[;,]|mailto:|cid:|#)/i;
 const SVG_DATA_URI_RE = /^data:image\/svg\+xml/i;
-DOMPurify.addHook("uponSanitizeAttribute", (_node, data) => {
-	if (data.attrName.startsWith("on")) data.keepAttr = false;
-	if (data.attrName === "style") data.keepAttr = false;
-	if ((data.attrName === "src" || data.attrName === "href") && SVG_DATA_URI_RE.test(data.attrValue)) data.keepAttr = false;
-});
-DOMPurify.addHook("afterSanitizeAttributes", (node) => {
-	if (node.tagName === "A") {
-		if (node.getAttribute("target") === "_blank") node.setAttribute("rel", "noopener noreferrer");
-	}
-});
-const SANITIZE_OPTIONS = {
-	ALLOWED_TAGS,
-	ALLOWED_ATTR: ALLOWED_ATTRS,
-	ALLOW_DATA_ATTR: false,
-	ALLOW_UNKNOWN_PROTOCOLS: false,
-	ALLOWED_URI_REGEXP,
-	FORBID_TAGS: [
-		"style",
+const OPTIONS = {
+	allowedTags: ALLOWED_TAGS,
+	allowedAttributes: { "*": ALLOWED_ATTRS },
+	allowedSchemes: [
+		"http",
+		"https",
+		"mailto",
+		"cid"
+	],
+	allowedSchemesByTag: { img: [
+		"http",
+		"https",
+		"cid",
+		"data"
+	] },
+	allowedSchemesAppliedToAttributes: ["href", "src"],
+	allowProtocolRelative: false,
+	nonTextTags: [
 		"script",
+		"style",
+		"textarea",
+		"option",
+		"noscript",
+		"title",
 		"iframe",
 		"object",
 		"embed",
+		"svg",
+		"math",
 		"form",
-		"input",
-		"button",
 		"select",
-		"textarea",
-		"link",
-		"meta",
-		"base",
-		"svg",
-		"math"
-	]
+		"button",
+		"input"
+	],
+	disallowedTagsMode: "discard",
+	transformTags: { img: (tagName, attribs) => {
+		const next = { ...attribs };
+		if (next.src && SVG_DATA_URI_RE.test(next.src)) delete next.src;
+		return {
+			tagName,
+			attribs: next
+		};
+	} }
 };
 function sanitizeHtml(html) {
-	return DOMPurify.sanitize(html, SANITIZE_OPTIONS);
+	return sanitizeHtmlLib(html, OPTIONS);
 }
 //#endregion
 //#region src/parser/attachment-parser.ts

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@primitivedotdev/sdk",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "Official Primitive Node.js SDK: webhook, api, openapi, contract, and parser runtime modules.",
   "type": "module",
   "module": "./dist/index.js",
@@ -87,9 +87,9 @@
   },
   "dependencies": {
     "ajv": "^8.17.1",
-    "isomorphic-dompurify": "^3.8.0",
     "mailparser": "^3.9.0",
     "nodemailer": "^8.0.7",
+    "sanitize-html": "^2.14.0",
     "tar-stream": "^3.1.8",
     "validator": "^13.15.35"
   },
@@ -100,6 +100,7 @@
     "@types/mailparser": "^3.4.6",
     "@types/node": "^22.10.2",
     "@types/nodemailer": "^8.0.0",
+    "@types/sanitize-html": "^2.13.0",
     "@types/tar-stream": "^3.1.4",
     "@types/validator": "^13.15.10",
     "@vitest/coverage-v8": "^4.1.4",