npm - @wdprlib/render - Versions diffs - 1.0.0-rc.0 → 1.0.1 - Mend

@wdprlib/render 1.0.0-rc.0 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.cjs CHANGED Viewed

@@ -4209,8 +4209,8 @@ function renderGitlabSnippet(ctx, snippetId) {
 }
 // packages/render/src/elements/embed-block.ts
-var import_dompurify = __toESM(require("dompurify"));
-var import_jsdom = require("jsdom");
+var import_htmlparser2 = require("htmlparser2");
+var import_sanitize_html = __toESM(require("sanitize-html"));
 var BOOLEAN_ATTRIBUTES = [
   "allowfullscreen",
   "async",
@@ -4244,21 +4244,42 @@ var DEFAULT_EMBED_ALLOWLIST = [
   { host: "w.soundcloud.com", pathPrefix: "/player/" },
   { host: "codepen.io" }
 ];
-var window = new import_jsdom.JSDOM("").window;
-var purify = import_dompurify.default(window);
-purify.addHook("uponSanitizeAttribute", (_node, data) => {
-  if (data.attrName === "src" && data.attrValue) {
-    if (!data.attrValue.toLowerCase().startsWith("https://")) {
-      data.attrValue = "";
-      data.forceKeepAttr = false;
+var SANITIZE_CONFIG = {
+  allowedTags: ["iframe"],
+  allowedAttributes: {
+    iframe: [
+      "src",
+      "allow",
+      "allowfullscreen",
+      "frameborder",
+      "height",
+      "loading",
+      "referrerpolicy",
+      "sandbox",
+      "title",
+      "width"
+    ]
+  },
+  allowedSchemes: ["https"]
+};
+function findIframes(html) {
+  const doc = import_htmlparser2.parseDocument(html);
+  const iframes = [];
+  function walk(nodes) {
+    for (const node of nodes) {
+      if (node.type === "tag") {
+        if (node.name === "iframe") {
+          iframes.push(node);
+        }
+        if (node.children) {
+          walk(node.children);
+        }
+      }
     }
   }
-});
-var DOMPURIFY_CONFIG = {
-  ALLOWED_TAGS: ["iframe"],
-  ADD_ATTR: ["allow", "allowfullscreen", "frameborder", "loading", "referrerpolicy", "sandbox"],
-  FORBID_ATTR: ["srcdoc", "onload", "onerror", "onclick"]
-};
+  walk(doc.children);
+  return iframes;
+}
 function matchesHostPattern(hostname, pattern) {
   const lowerHostname = hostname.toLowerCase();
   const lowerPattern = pattern.toLowerCase();
@@ -4288,20 +4309,16 @@ function matchesAllowlistEntry(url, entry) {
   return true;
 }
 function validateAndSanitizeEmbed(content, allowlist) {
-  const sanitized = purify.sanitize(content.trim(), {
-    ...DOMPURIFY_CONFIG,
-    RETURN_TRUSTED_TYPE: false
-  });
+  const sanitized = import_sanitize_html.default(content.trim(), SANITIZE_CONFIG);
   if (!sanitized.trim()) {
     return null;
   }
-  const dom = new import_jsdom.JSDOM(sanitized);
-  const iframes = dom.window.document.querySelectorAll("iframe");
+  const iframes = findIframes(sanitized);
   if (iframes.length !== 1) {
     return null;
   }
   const iframe = iframes[0];
-  const src = iframe.getAttribute("src")?.trim();
+  const src = iframe.attribs.src?.trim();
   if (!src) {
     return null;
   }

package/dist/index.d.cts CHANGED Viewed

@@ -15,7 +15,7 @@ interface EmbedAllowlistEntry {
 * Only iframes with src matching these host+path patterns will be rendered.
 *
 * Note: Set to null to allow any HTTPS iframe (Wikidot's 'anyiframe' behavior).
-* DOMPurify still enforces HTTPS-only and blocks dangerous attributes.
+* sanitize-html still enforces HTTPS-only and blocks dangerous attributes.
 */
 declare const DEFAULT_EMBED_ALLOWLIST: EmbedAllowlistEntry[] | null;
 /**

package/dist/index.d.ts CHANGED Viewed

@@ -15,7 +15,7 @@ interface EmbedAllowlistEntry {
 * Only iframes with src matching these host+path patterns will be rendered.
 *
 * Note: Set to null to allow any HTTPS iframe (Wikidot's 'anyiframe' behavior).
-* DOMPurify still enforces HTTPS-only and blocks dangerous attributes.
+* sanitize-html still enforces HTTPS-only and blocks dangerous attributes.
 */
 declare const DEFAULT_EMBED_ALLOWLIST: EmbedAllowlistEntry[] | null;
 /**

package/dist/index.js CHANGED Viewed

@@ -4159,8 +4159,8 @@ function renderGitlabSnippet(ctx, snippetId) {
 }
 // packages/render/src/elements/embed-block.ts
-import DOMPurify from "dompurify";
-import { JSDOM } from "jsdom";
+import { parseDocument } from "htmlparser2";
+import sanitizeHtml from "sanitize-html";
 var BOOLEAN_ATTRIBUTES = [
   "allowfullscreen",
   "async",
@@ -4194,21 +4194,42 @@ var DEFAULT_EMBED_ALLOWLIST = [
   { host: "w.soundcloud.com", pathPrefix: "/player/" },
   { host: "codepen.io" }
 ];
-var window = new JSDOM("").window;
-var purify = DOMPurify(window);
-purify.addHook("uponSanitizeAttribute", (_node, data) => {
-  if (data.attrName === "src" && data.attrValue) {
-    if (!data.attrValue.toLowerCase().startsWith("https://")) {
-      data.attrValue = "";
-      data.forceKeepAttr = false;
+var SANITIZE_CONFIG = {
+  allowedTags: ["iframe"],
+  allowedAttributes: {
+    iframe: [
+      "src",
+      "allow",
+      "allowfullscreen",
+      "frameborder",
+      "height",
+      "loading",
+      "referrerpolicy",
+      "sandbox",
+      "title",
+      "width"
+    ]
+  },
+  allowedSchemes: ["https"]
+};
+function findIframes(html) {
+  const doc = parseDocument(html);
+  const iframes = [];
+  function walk(nodes) {
+    for (const node of nodes) {
+      if (node.type === "tag") {
+        if (node.name === "iframe") {
+          iframes.push(node);
+        }
+        if (node.children) {
+          walk(node.children);
+        }
+      }
     }
   }
-});
-var DOMPURIFY_CONFIG = {
-  ALLOWED_TAGS: ["iframe"],
-  ADD_ATTR: ["allow", "allowfullscreen", "frameborder", "loading", "referrerpolicy", "sandbox"],
-  FORBID_ATTR: ["srcdoc", "onload", "onerror", "onclick"]
-};
+  walk(doc.children);
+  return iframes;
+}
 function matchesHostPattern(hostname, pattern) {
   const lowerHostname = hostname.toLowerCase();
   const lowerPattern = pattern.toLowerCase();
@@ -4238,20 +4259,16 @@ function matchesAllowlistEntry(url, entry) {
   return true;
 }
 function validateAndSanitizeEmbed(content, allowlist) {
-  const sanitized = purify.sanitize(content.trim(), {
-    ...DOMPURIFY_CONFIG,
-    RETURN_TRUSTED_TYPE: false
-  });
+  const sanitized = sanitizeHtml(content.trim(), SANITIZE_CONFIG);
   if (!sanitized.trim()) {
     return null;
   }
-  const dom = new JSDOM(sanitized);
-  const iframes = dom.window.document.querySelectorAll("iframe");
+  const iframes = findIframes(sanitized);
   if (iframes.length !== 1) {
     return null;
   }
   const iframe = iframes[0];
-  const src = iframe.getAttribute("src")?.trim();
+  const src = iframe.attribs.src?.trim();
   if (!src) {
     return null;
   }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@wdprlib/render",
-  "version": "1.0.0-rc.0",
+  "version": "1.0.1",
   "description": "HTML renderer for Wikidot markup",
   "keywords": [
     "html",
@@ -39,13 +39,13 @@
     "access": "public"
   },
   "dependencies": {
-    "@wdprlib/ast": "1.0.0-rc.0",
-    "dompurify": "^3.3.1",
-    "jsdom": "^28.0.0",
+    "@wdprlib/ast": "1.0.0",
+    "domhandler": "^5.0.3",
+    "htmlparser2": "^10.0.0",
+    "sanitize-html": "^2.14.0",
     "temml": "^0.13.1"
   },
   "devDependencies": {
-    "@types/dompurify": "^3.2.0",
-    "@types/jsdom": "^27.0.0"
+    "@types/sanitize-html": "^2.13.0"
   }
 }