@readme/markdown 11.13.0 → 11.14.1

package/dist/index.d.ts

@@ -6,7 +6,7 @@ declare const utils: {
     getHref: typeof getHref;
     calloutIcons: {};
 };
-export { compile, exports, hast, run, mdast, mdastV6, mdx, mdxish, mdxishAstProcessor, mdxishMdastToMd, mdxishTags, migrate, mix, plain, renderMdxish, remarkPlugins, stripComments, tags, } from './lib';
+export { compile, exports, hast, run, mdast, mdastV6, mdx, mdxish, mdxishAstProcessor, mdxishMdastToMd, mdxishTags, migrate, mix, plain, renderMdxish, remarkPlugins, stripComments, tags, isPlainText, } from './lib';
 export { default as Owlmoji } from './lib/owlmoji';
 export { Components, utils };
 export { tailwindCompiler } from './utils/tailwind-compiler';

package/dist/lib/index.d.ts

@@ -17,3 +17,4 @@ export { default as run } from './run';
 export { default as tags } from './tags';
 export { default as mdxishTags } from './mdxishTags';
 export { default as stripComments } from './stripComments';
+export { default as isPlainText } from './utils/isPlainText';

package/dist/lib/utils/extractMagicBlocks.d.ts

@@ -3,6 +3,14 @@ export interface BlockHit {
     raw: string;
     token: string;
 }
+/**
+ * The content matching in this regex captures everything between `[block:TYPE]`
+ * and `[/block]`, including new lines. Negative lookahead for the closing
+ * `[/block]` tag is required to prevent greedy matching to ensure it stops at
+ * the first closing tag it encounters preventing vulnerability to polynomial
+ * backtracking issues.
+ */
+export declare const MAGIC_BLOCK_REGEX: RegExp;
 /**
  * Extract legacy magic block syntax from a markdown string.
  * Returns the modified markdown and an array of extracted blocks.

package/dist/lib/utils/isPlainText.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Detects if content contains HTML, magic blocks, or MDX syntax.
+ *
+ * We can use this in some pipelines to determine if we should have to parse content through
+ * `.plain() or if it is already plain text and it should be able to detect everything that would
+ * be stripped or sanitized by `.plain()`.
+ *
+ */
+export default function isPlainText(content: string): boolean;

package/dist/main.js

@@ -11362,6 +11362,7 @@ __webpack_require__.d(__webpack_exports__, {
   exports: () => (/* reexport */ lib_exports),
   gemojiRegex: () => (/* reexport */ gemoji_regex),
   hast: () => (/* reexport */ lib_hast),
+  isPlainText: () => (/* reexport */ isPlainText),
   mdast: () => (/* reexport */ lib_mdast),
   mdastV6: () => (/* reexport */ lib_mdastV6),
   mdx: () => (/* reexport */ lib_mdx),
@@ -95294,6 +95295,89 @@ async function stripComments(doc, { mdx } = {}) {
 }
 /* harmony default export */ const lib_stripComments = (stripComments);
 
+;// ./lib/utils/isPlainText.ts
+
+/**
+ * Detects if content contains HTML, magic blocks, or MDX syntax.
+ *
+ * We can use this in some pipelines to determine if we should have to parse content through
+ * `.plain() or if it is already plain text and it should be able to detect everything that would
+ * be stripped or sanitized by `.plain()`.
+ *
+ */
+function isPlainText(content) {
+    if (!content || typeof content !== 'string') {
+        return true;
+    }
+    // Exclude markdown code blocks and inline code to avoid false positives
+    // Match code blocks with optional language identifier: ```lang\n...\n```
+    const codeBlockRegex = /```[^\n]*\n[\s\S]*?```/g;
+    // Match inline code: `code` (but not escaped backticks)
+    const inlineCodeRegex = /`[^`\n]+`/g;
+    // Remove code blocks and inline code to avoid false positives
+    let contentWithoutCode = structuredClone(content);
+    contentWithoutCode = contentWithoutCode.replace(codeBlockRegex, '');
+    contentWithoutCode = contentWithoutCode.replace(inlineCodeRegex, '');
+    // Check for magic blocks: `[block:TYPE]...[/block]`
+    // Only check after removing code blocks to avoid detecting magic blocks in code
+    if (contentWithoutCode.match(MAGIC_BLOCK_REGEX) !== null) {
+        return false;
+    }
+    // Check for markdown links: [text](url) or [text][reference]
+    // Pattern matches inline links and reference-style links
+    // Exclude images which start with ! before the bracket
+    // Only check after removing code blocks
+    const markdownLinkPattern = /(?<!!)\[([^\]]+)\]\(([^)]+)\)|(?<!!)\[([^\]]+)\]\[([^\]]*)\]/;
+    if (markdownLinkPattern.test(contentWithoutCode)) {
+        return false;
+    }
+    // Check for JSX elements (PascalCase components) in the original content
+    // This includes code blocks since JSX code examples should be detected
+    // Pattern matches:
+    // - Self-closing: <Component /> or <Component/>
+    // - With attributes: <Component prop="value" />
+    // - With children: <Component>...</Component>
+    // Use simpler, safer patterns to avoid ReDoS from backtracking
+    // Match self-closing tags with bounded attribute length to prevent excessive backtracking
+    const jsxSelfClosingPattern = /<[A-Z][a-zA-Z0-9]*(?:\s[^>]{0,50})?\/>/;
+    if (jsxSelfClosingPattern.test(content)) {
+        return false;
+    }
+    // For components with children, use a safer pattern that limits backtracking
+    // Match opening tag with bounded attributes, then look for closing tag with same name
+    const jsxWithChildrenPattern = /<([A-Z][a-zA-Z0-9]*)(?:\s[^>]{0,50})?>[\s\S]{0,50}<\/\1>/;
+    if (jsxWithChildrenPattern.test(content)) {
+        return false;
+    }
+    // Check for MDX expressions and HTML tags in the original content
+    // HTML/JSX/MDX in code blocks should be detected (as per test requirements)
+    // But exclude inline code that contains magic block patterns to avoid false positives
+    let contentForHtmlMdx = content;
+    // Find inline code blocks and check if they contain [block: pattern
+    // Exclude these from HTML/MDX detection to avoid false positives
+    const inlineCodePattern = /`[^`\n]+`/g;
+    let inlineCodeMatch;
+    inlineCodePattern.lastIndex = 0;
+    while ((inlineCodeMatch = inlineCodePattern.exec(content)) !== null) {
+        if (inlineCodeMatch[0].includes('[block:')) {
+            contentForHtmlMdx = contentForHtmlMdx.replace(inlineCodeMatch[0], '');
+        }
+    }
+    // Match simple MDX variable expressions like {variable}, {user.name}, {getValue()}, {}
+    // Use bounded quantifier to prevent ReDoS - limit to reasonable variable name length
+    // Allow empty braces {} to be detected as well
+    const jsxExpressionPattern = /\{[^}"]{0,50}\}/;
+    if (jsxExpressionPattern.test(contentForHtmlMdx)) {
+        return false;
+    }
+    // Match HTML tags with bounded attribute length to prevent ReDoS
+    const htmlTagPattern = /<[a-z][a-z0-9]*(?:\s[^>]{0,50})?(?:\/>|>)/i;
+    if (htmlTagPattern.test(contentForHtmlMdx)) {
+        return false;
+    }
+    return true;
+}
+
 ;// ./lib/index.ts
 
 
@@ -95312,6 +95396,7 @@ async function stripComments(doc, { mdx } = {}) {
 
 
 
+
 ;// ./index.tsx
 
 

package/dist/main.node.js

@@ -19024,6 +19024,7 @@ __webpack_require__.d(__webpack_exports__, {
   exports: () => (/* reexport */ lib_exports),
   gemojiRegex: () => (/* reexport */ gemoji_regex),
   hast: () => (/* reexport */ lib_hast),
+  isPlainText: () => (/* reexport */ isPlainText),
   mdast: () => (/* reexport */ lib_mdast),
   mdastV6: () => (/* reexport */ lib_mdastV6),
   mdx: () => (/* reexport */ lib_mdx),
@@ -115498,6 +115499,89 @@ async function stripComments(doc, { mdx } = {}) {
 }
 /* harmony default export */ const lib_stripComments = (stripComments);
 
+;// ./lib/utils/isPlainText.ts
+
+/**
+ * Detects if content contains HTML, magic blocks, or MDX syntax.
+ *
+ * We can use this in some pipelines to determine if we should have to parse content through
+ * `.plain() or if it is already plain text and it should be able to detect everything that would
+ * be stripped or sanitized by `.plain()`.
+ *
+ */
+function isPlainText(content) {
+    if (!content || typeof content !== 'string') {
+        return true;
+    }
+    // Exclude markdown code blocks and inline code to avoid false positives
+    // Match code blocks with optional language identifier: ```lang\n...\n```
+    const codeBlockRegex = /```[^\n]*\n[\s\S]*?```/g;
+    // Match inline code: `code` (but not escaped backticks)
+    const inlineCodeRegex = /`[^`\n]+`/g;
+    // Remove code blocks and inline code to avoid false positives
+    let contentWithoutCode = structuredClone(content);
+    contentWithoutCode = contentWithoutCode.replace(codeBlockRegex, '');
+    contentWithoutCode = contentWithoutCode.replace(inlineCodeRegex, '');
+    // Check for magic blocks: `[block:TYPE]...[/block]`
+    // Only check after removing code blocks to avoid detecting magic blocks in code
+    if (contentWithoutCode.match(MAGIC_BLOCK_REGEX) !== null) {
+        return false;
+    }
+    // Check for markdown links: [text](url) or [text][reference]
+    // Pattern matches inline links and reference-style links
+    // Exclude images which start with ! before the bracket
+    // Only check after removing code blocks
+    const markdownLinkPattern = /(?<!!)\[([^\]]+)\]\(([^)]+)\)|(?<!!)\[([^\]]+)\]\[([^\]]*)\]/;
+    if (markdownLinkPattern.test(contentWithoutCode)) {
+        return false;
+    }
+    // Check for JSX elements (PascalCase components) in the original content
+    // This includes code blocks since JSX code examples should be detected
+    // Pattern matches:
+    // - Self-closing: <Component /> or <Component/>
+    // - With attributes: <Component prop="value" />
+    // - With children: <Component>...</Component>
+    // Use simpler, safer patterns to avoid ReDoS from backtracking
+    // Match self-closing tags with bounded attribute length to prevent excessive backtracking
+    const jsxSelfClosingPattern = /<[A-Z][a-zA-Z0-9]*(?:\s[^>]{0,50})?\/>/;
+    if (jsxSelfClosingPattern.test(content)) {
+        return false;
+    }
+    // For components with children, use a safer pattern that limits backtracking
+    // Match opening tag with bounded attributes, then look for closing tag with same name
+    const jsxWithChildrenPattern = /<([A-Z][a-zA-Z0-9]*)(?:\s[^>]{0,50})?>[\s\S]{0,50}<\/\1>/;
+    if (jsxWithChildrenPattern.test(content)) {
+        return false;
+    }
+    // Check for MDX expressions and HTML tags in the original content
+    // HTML/JSX/MDX in code blocks should be detected (as per test requirements)
+    // But exclude inline code that contains magic block patterns to avoid false positives
+    let contentForHtmlMdx = content;
+    // Find inline code blocks and check if they contain [block: pattern
+    // Exclude these from HTML/MDX detection to avoid false positives
+    const inlineCodePattern = /`[^`\n]+`/g;
+    let inlineCodeMatch;
+    inlineCodePattern.lastIndex = 0;
+    while ((inlineCodeMatch = inlineCodePattern.exec(content)) !== null) {
+        if (inlineCodeMatch[0].includes('[block:')) {
+            contentForHtmlMdx = contentForHtmlMdx.replace(inlineCodeMatch[0], '');
+        }
+    }
+    // Match simple MDX variable expressions like {variable}, {user.name}, {getValue()}, {}
+    // Use bounded quantifier to prevent ReDoS - limit to reasonable variable name length
+    // Allow empty braces {} to be detected as well
+    const jsxExpressionPattern = /\{[^}"]{0,50}\}/;
+    if (jsxExpressionPattern.test(contentForHtmlMdx)) {
+        return false;
+    }
+    // Match HTML tags with bounded attribute length to prevent ReDoS
+    const htmlTagPattern = /<[a-z][a-z0-9]*(?:\s[^>]{0,50})?(?:\/>|>)/i;
+    if (htmlTagPattern.test(contentForHtmlMdx)) {
+        return false;
+    }
+    return true;
+}
+
 ;// ./lib/index.ts
 
 
@@ -115516,6 +115600,7 @@ async function stripComments(doc, { mdx } = {}) {
 
 
 
+
 ;// ./index.tsx