npm - @runtypelabs/persona - Versions diffs - 2.3.0 → 2.3.1 - Mend

@runtypelabs/persona 2.3.0 → 2.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@runtypelabs/persona",
-  "version": "2.3.0",
+  "version": "2.3.1",
   "description": "Themeable, pluggable streaming agent widget for websites, in plain JS with support for voice input and reasoning / tool output.",
   "type": "module",
   "main": "dist/index.cjs",

package/src/ui.ts CHANGED Viewed

@@ -325,6 +325,16 @@ const buildPostprocessor = (
   // Resolve sanitizer: enabled by default, can be disabled or replaced
   const sanitize = resolveSanitizer(cfg?.sanitize);
+  // Warn developers when a custom postprocessor is used with the default sanitizer,
+  // since DOMPurify will strip any tags/attributes not in the allowlist.
+  if (cfg?.postprocessMessage && sanitize && cfg?.sanitize === undefined) {
+    console.warn(
+      "[Persona] A custom postprocessMessage is active with the default HTML sanitizer. " +
+      "Tags or attributes not in the built-in allowlist will be stripped. " +
+      "To keep custom HTML, set `sanitize: false` or provide a custom sanitize function."
+    );
+  }
   return (context) => {
     let nextText = context.text ?? "";
     const rawPayload = context.message.rawContent ?? null;

package/src/utils/sanitize.ts CHANGED Viewed

@@ -59,7 +59,7 @@ export const createDefaultSanitizer = (): SanitizeFunction => {
       const val = data.attrValue;
       if (val.toLowerCase().startsWith("data:") && !SAFE_DATA_URI.test(val)) {
         data.attrValue = "";
-        data.forceKeepAttr = false;
+        data.keepAttr = false;
       }
     }
   });