@xh/hoist 77.0.0-SNAPSHOT.1761157373322 → 77.0.0-SNAPSHOT.1761229417098

package/CHANGELOG.md

@@ -2,6 +2,19 @@
 
 ## 77.0.0-SNAPSHOT - unreleased
 
+### 💥 Breaking Changes
+
+* The `disableXssProtection` flag supported by `AppSpec` and `FieldSpec` has been removed and
+  replaced with its opposite, `enableXssProtection`, now an opt-in feature.
+    * While store-based XSS protection via DomPurify is still available to apps that can display
+      untrusted or potentially malicious data, this is an uncommon use case for Hoist apps and was
+      deemed to not provide enough benefit relative to potential performance pitfalls for most
+      applications. In addition, the core change to React-based AG Grid rendering has reduced the
+      attack surface for such exploits relative to when this system was first implemented.
+    * Apps that were previously opting-out via `disableXssProtection` should simply remove that
+      flag. Apps for which this protection remains important should enable at either the app level
+      or for selected Fields and/or Stores.
+      
 ## 76.2.0 - 2025-10-22
 
 ### ⚙️ Technical

package/admin/tabs/cluster/instances/logs/levels/LogLevelDialogModel.ts

@@ -51,7 +51,7 @@ export class LogLevelDialogModel extends HoistModel {
             showRefreshButton: true,
             store: {
                 url: 'rest/logLevelAdmin',
-                fieldDefaults: {disableXssProtection: true},
+                fieldDefaults: {enableXssProtection: false},
                 fields: [
                     {
                         name: 'name',

package/admin/tabs/general/config/ConfigPanelModel.ts

@@ -57,7 +57,7 @@ export class ConfigPanelModel extends HoistModel {
             store: new RestStore({
                 url: 'rest/configAdmin',
                 reloadLookupsOnLoad: true,
-                fieldDefaults: {disableXssProtection: true},
+                fieldDefaults: {enableXssProtection: false},
                 fields: [
                     {...(Col.name.field as FieldSpec), required},
                     {

package/admin/tabs/monitor/editor/MonitorEditorDialog.ts

@@ -51,7 +51,7 @@ const modelSpec: RestGridConfig = {
     showRefreshButton: true,
     store: {
         url: 'rest/monitorAdmin',
-        fieldDefaults: {disableXssProtection: true},
+        fieldDefaults: {enableXssProtection: false},
         fields: [
             {...(MCol.code.field as FieldSpec), required},
             MCol.metricUnit.field,

package/admin/tabs/userData/jsonblob/JsonBlobModel.ts

@@ -51,7 +51,7 @@ export class JsonBlobModel extends HoistModel {
             store: {
                 url: 'rest/jsonBlobAdmin',
                 reloadLookupsOnLoad: true,
-                fieldDefaults: {disableXssProtection: true},
+                fieldDefaults: {enableXssProtection: false},
                 fields: [
                     {...(JBCol.token.field as FieldSpec), editable: false},
                     JBCol.owner.field,

package/admin/tabs/userData/prefs/UserPreferenceModel.ts

@@ -34,7 +34,7 @@ export class UserPreferenceModel extends HoistModel {
             store: {
                 url: 'rest/userPreferenceAdmin',
                 reloadLookupsOnLoad: true,
-                fieldDefaults: {disableXssProtection: true},
+                fieldDefaults: {enableXssProtection: false},
                 fields: [
                     {
                         ...(Col.name.field as FieldSpec),

package/admin/tabs/userData/prefs/editor/PrefEditorModel.ts

@@ -47,7 +47,7 @@ export class PrefEditorModel extends HoistModel {
             store: {
                 url: 'rest/preferenceAdmin',
                 reloadLookupsOnLoad: true,
-                fieldDefaults: {disableXssProtection: true},
+                fieldDefaults: {enableXssProtection: false},
                 fields: [
                     {...(Col.name.field as FieldSpec), required},
                     {

package/build/types/core/AppSpec.d.ts

@@ -58,12 +58,19 @@ export declare class AppSpec<T extends HoistAppModel = HoistAppModel> {
      */
     disableWebSockets?: boolean;
     /**
-     * True to disable Field-level XSS protection by default across all Stores/Fields in the app.
-     * For use with secure, internal apps that do not display arbitrary/external user input and
-     * have tight performance tolerances and/or load very large record sets.
-     * @see FieldSpec.disableXssProtection
+     * True to enable Field-level XSS protection by default across all Stores/Fields in the app.
+     * Available as an extra precaution for use with apps that might display arbitrary input from
+     * untrusted or external users. This feature does exact a minor performance penalty during data
+     * parsing, which can be significant in aggregate for very large stores containing records with
+     * many `string` fields.
+     *
+     * Note: this flag and its default behavior was changed as of Hoist v77 to be `false`, i.e.
+     * Store-level XSS protection *disabled* by default, in keeping with Hoist's primary use-case:
+     * building secured internal apps with large datasets and tight performance tolerances.
+     *
+     * @see FieldSpec.enableXssProtection
      */
-    disableXssProtection?: boolean;
+    enableXssProtection?: boolean;
     /**
      * True to show a login form on initialization when not authenticated. Default is `false` as
      * most Hoist applications are expected to use OAuth or SSO for authn.
@@ -111,7 +118,7 @@ export declare class AppSpec<T extends HoistAppModel = HoistAppModel> {
     trackAppLoad?: boolean;
     /** @deprecated - use {@link AppSpec.disableWebSockets} instead. */
     webSocketsEnabled?: boolean;
-    constructor({ authModelClass, checkAccess, clientAppCode, clientAppName, componentClass, containerClass, disableWebSockets, disableXssProtection, enableLoginForm, enableLogout, idlePanel, isMobileApp, lockoutMessage, lockoutPanel, loginMessage, modelClass, showBrowserContextMenu, trackAppLoad, webSocketsEnabled }: {
+    constructor({ authModelClass, checkAccess, clientAppCode, clientAppName, componentClass, containerClass, disableWebSockets, enableXssProtection, enableLoginForm, enableLogout, idlePanel, isMobileApp, lockoutMessage, lockoutPanel, loginMessage, modelClass, showBrowserContextMenu, trackAppLoad, webSocketsEnabled }: {
         authModelClass?: typeof HoistAuthModel;
         checkAccess: any;
         clientAppCode?: string;
@@ -119,7 +126,7 @@ export declare class AppSpec<T extends HoistAppModel = HoistAppModel> {
         componentClass: any;
         containerClass: any;
         disableWebSockets?: boolean;
-        disableXssProtection?: boolean;
+        enableXssProtection?: boolean;
         enableLoginForm?: boolean;
         enableLogout?: boolean;
         idlePanel?: any;

package/build/types/data/Field.d.ts

@@ -17,15 +17,24 @@ export interface FieldSpec {
     /** Rules to apply to this field. */
     rules?: RuleLike[];
     /**
-     * True to disable built-in XSS (cross-site scripting) protection, applied by default to all
-     * incoming String values using {@link https://github.com/cure53/DOMPurify | DOMPurify}.
+     * True to enable built-in XSS (cross-site scripting) protection to all incoming String values
+     * using {@link https://github.com/cure53/DOMPurify | DOMPurify}.
      *
      * DOMPurify provides fast escaping of dangerous HTML, scripting, and other content that can be
      * used to execute XSS attacks, while allowing common and expected HTML and style tags.
      *
-     * Please contact XH if you find yourself needing to disable this protection!
+     * This feature does exact a minor performance penalty during data parsing, which can be
+     * significant in aggregate for very large stores containing records with many `string` fields.
+     *
+     * For extra safety, apps which are open to potentially-untrusted users or display other
+     * potentially dangerous string content can opt into this setting app-wide via
+     * {@link AppSpec.enableXssProtection}. Field-level setting will override any app-level default.
+     *
+     * Note: this flag and its default behavior was changed as of Hoist v77 to be `false`, i.e.
+     * Store-level XSS protection *disabled* by default, in keeping with Hoist's primary use-case:
+     * building secured internal apps with large datasets and tight performance tolerances.
      */
-    disableXssProtection?: boolean;
+    enableXssProtection?: boolean;
 }
 /** Metadata for an individual data field within a {@link StoreRecord}. */
 export declare class Field {
@@ -35,8 +44,8 @@ export declare class Field {
     readonly displayName: string;
     readonly defaultValue: any;
     readonly rules: Rule[];
-    readonly disableXssProtection: boolean;
-    constructor({ name, type, displayName, defaultValue, rules, disableXssProtection }: FieldSpec);
+    readonly enableXssProtection: boolean;
+    constructor({ name, type, displayName, defaultValue, rules, enableXssProtection }: FieldSpec);
     parseVal(val: any): any;
     isEqual(val1: any, val2: any): boolean;
     private processRuleSpecs;
@@ -46,11 +55,11 @@ export declare class Field {
  * @param val - raw value to parse.
  * @param type - data type of the field to use for possible conversion.
  * @param defaultValue - typed value to return if `val` undefined or null.
- * @param disableXssProtection - true to disable XSS (cross-site scripting) protection.
- *      @see {@link FieldConfig} docs for additional details.
+ * @param enableXssProtection - true to enable XSS (cross-site scripting) protection.
+ *      See {@link FieldSpec.enableXssProtection} for additional details.
  * @returns resulting value, potentially parsed or cast as per type.
  */
-export declare function parseFieldValue(val: any, type: FieldType, defaultValue?: any, disableXssProtection?: boolean): any;
+export declare function parseFieldValue(val: any, type: FieldType, defaultValue?: any, enableXssProtection?: boolean): any;
 /** Data types for Fields used within Hoist Store Records and Cubes. */
 export declare const FieldType: Readonly<{
     TAGS: "tags";

package/build/types/data/Store.d.ts

@@ -12,7 +12,7 @@ export interface StoreConfig {
      * Default configs applied to `Field` instances constructed internally by this Store.
      * @see FieldSpec
      */
-    fieldDefaults?: any;
+    fieldDefaults?: Omit<FieldSpec, 'name'>;
     /**
      * Specification for producing an immutable unique id for each record. May be provided as
      * either a string property name (default is 'id') or a function that receives the raw data

package/build/types/data/cube/Query.d.ts

@@ -81,7 +81,7 @@ export interface QueryConfig {
      *
      * This can be used to break selected aggregations into sub-groups dynamically, without having
      * to define another dimension in the Cube and have it apply to all aggregations. See the
-     * {@link BucketSpec} interface for additional information.
+     * {@link BucketSpecFn} type and {@link BucketSpec} interface for additional information.
      *
      * Defaults to {@link Cube.bucketSpecFn}.
      */

package/core/AppSpec.ts

@@ -71,12 +71,19 @@ export class AppSpec<T extends HoistAppModel = HoistAppModel> {
     disableWebSockets?: boolean;
 
     /**
-     * True to disable Field-level XSS protection by default across all Stores/Fields in the app.
-     * For use with secure, internal apps that do not display arbitrary/external user input and
-     * have tight performance tolerances and/or load very large record sets.
-     * @see FieldSpec.disableXssProtection
+     * True to enable Field-level XSS protection by default across all Stores/Fields in the app.
+     * Available as an extra precaution for use with apps that might display arbitrary input from
+     * untrusted or external users. This feature does exact a minor performance penalty during data
+     * parsing, which can be significant in aggregate for very large stores containing records with
+     * many `string` fields.
+     *
+     * Note: this flag and its default behavior was changed as of Hoist v77 to be `false`, i.e.
+     * Store-level XSS protection *disabled* by default, in keeping with Hoist's primary use-case:
+     * building secured internal apps with large datasets and tight performance tolerances.
+     *
+     * @see FieldSpec.enableXssProtection
      */
-    disableXssProtection?: boolean;
+    enableXssProtection?: boolean;
 
     /**
      * True to show a login form on initialization when not authenticated. Default is `false` as
@@ -144,7 +151,7 @@ export class AppSpec<T extends HoistAppModel = HoistAppModel> {
         componentClass,
         containerClass,
         disableWebSockets = false,
-        disableXssProtection = false,
+        enableXssProtection = false,
         enableLoginForm = false,
         enableLogout = false,
         idlePanel = null,
@@ -191,7 +198,7 @@ export class AppSpec<T extends HoistAppModel = HoistAppModel> {
         this.componentClass = componentClass;
         this.containerClass = containerClass;
         this.disableWebSockets = disableWebSockets;
-        this.disableXssProtection = disableXssProtection;
+        this.enableXssProtection = enableXssProtection;
         this.enableLoginForm = enableLoginForm;
         this.enableLogout = enableLogout;
         this.idlePanel = idlePanel;

package/data/Field.ts

@@ -36,15 +36,24 @@ export interface FieldSpec {
     rules?: RuleLike[];
 
     /**
-     * True to disable built-in XSS (cross-site scripting) protection, applied by default to all
-     * incoming String values using {@link https://github.com/cure53/DOMPurify | DOMPurify}.
+     * True to enable built-in XSS (cross-site scripting) protection to all incoming String values
+     * using {@link https://github.com/cure53/DOMPurify | DOMPurify}.
      *
      * DOMPurify provides fast escaping of dangerous HTML, scripting, and other content that can be
      * used to execute XSS attacks, while allowing common and expected HTML and style tags.
      *
-     * Please contact XH if you find yourself needing to disable this protection!
+     * This feature does exact a minor performance penalty during data parsing, which can be
+     * significant in aggregate for very large stores containing records with many `string` fields.
+     *
+     * For extra safety, apps which are open to potentially-untrusted users or display other
+     * potentially dangerous string content can opt into this setting app-wide via
+     * {@link AppSpec.enableXssProtection}. Field-level setting will override any app-level default.
+     *
+     * Note: this flag and its default behavior was changed as of Hoist v77 to be `false`, i.e.
+     * Store-level XSS protection *disabled* by default, in keeping with Hoist's primary use-case:
+     * building secured internal apps with large datasets and tight performance tolerances.
      */
-    disableXssProtection?: boolean;
+    enableXssProtection?: boolean;
 }
 
 /** Metadata for an individual data field within a {@link StoreRecord}. */
@@ -58,7 +67,7 @@ export class Field {
     readonly displayName: string;
     readonly defaultValue: any;
     readonly rules: Rule[];
-    readonly disableXssProtection: boolean;
+    readonly enableXssProtection: boolean;
 
     constructor({
         name,
@@ -66,19 +75,19 @@ export class Field {
         displayName,
         defaultValue = null,
         rules = [],
-        disableXssProtection = XH.appSpec.disableXssProtection
+        enableXssProtection = XH.appSpec.enableXssProtection
     }: FieldSpec) {
         this.name = name;
         this.type = type;
         this.displayName = withDefault(displayName, genDisplayName(name));
         this.defaultValue = defaultValue;
         this.rules = this.processRuleSpecs(rules);
-        this.disableXssProtection = disableXssProtection;
+        this.enableXssProtection = enableXssProtection;
     }
 
     parseVal(val: any): any {
-        const {type, defaultValue, disableXssProtection} = this;
-        return parseFieldValue(val, type, defaultValue, disableXssProtection);
+        const {type, defaultValue, enableXssProtection} = this;
+        return parseFieldValue(val, type, defaultValue, enableXssProtection);
     }
 
     isEqual(val1: any, val2: any): boolean {
@@ -102,35 +111,30 @@ export class Field {
  * @param val - raw value to parse.
  * @param type - data type of the field to use for possible conversion.
  * @param defaultValue - typed value to return if `val` undefined or null.
- * @param disableXssProtection - true to disable XSS (cross-site scripting) protection.
- *      @see {@link FieldConfig} docs for additional details.
+ * @param enableXssProtection - true to enable XSS (cross-site scripting) protection.
+ *      See {@link FieldSpec.enableXssProtection} for additional details.
  * @returns resulting value, potentially parsed or cast as per type.
  */
 export function parseFieldValue(
     val: any,
     type: FieldType,
     defaultValue: any = null,
-    disableXssProtection = XH.appSpec.disableXssProtection
+    enableXssProtection: boolean = XH.appSpec.enableXssProtection
 ): any {
     if (val === undefined || val === null) val = defaultValue;
     if (val === null) return val;
 
-    const sanitizeValue = v => {
-        if (disableXssProtection || !isString(v)) return v;
-        return DOMPurify.sanitize(v);
-    };
-
     switch (type) {
         case 'tags':
             val = castArray(val);
             val = val.map(v => {
-                v = sanitizeValue(v);
+                v = !enableXssProtection || !isString(v) ? v : DOMPurify.sanitize(v);
                 return v.toString();
             });
             return val;
         case 'auto':
         case 'json':
-            return sanitizeValue(val);
+            return !enableXssProtection || !isString(val) ? val : DOMPurify.sanitize(val);
         case 'int':
             val = toNumber(val);
             return isFinite(val) ? Math.trunc(val) : null;
@@ -140,7 +144,7 @@ export function parseFieldValue(
             return !!val;
         case 'pwd':
         case 'string':
-            val = sanitizeValue(val);
+            val = !enableXssProtection || !isString(val) ? val : DOMPurify.sanitize(val);
             return val.toString();
         case 'date':
             return isDate(val) ? val : new Date(val);

package/data/Store.ts

@@ -44,7 +44,7 @@ export interface StoreConfig {
      * Default configs applied to `Field` instances constructed internally by this Store.
      * @see FieldSpec
      */
-    fieldDefaults?: any;
+    fieldDefaults?: Omit<FieldSpec, 'name'>;
 
     /**
      * Specification for producing an immutable unique id for each record. May be provided as
@@ -978,17 +978,20 @@ export class Store extends HoistBase {
         this.summaryRecords = null;
     }
 
-    private parseFields(fields: any[], defaults: any): Field[] {
+    private parseFields(
+        fields: Array<string | FieldSpec | Field>,
+        defaults: Omit<FieldSpec, 'name'>
+    ): Field[] {
         const ret = fields.map(f => {
             if (f instanceof Field) return f;
 
-            if (isString(f)) f = {name: f};
+            let fieldSpec: FieldSpec = isString(f) ? {name: f} : f;
 
             if (!isEmpty(defaults)) {
-                f = defaultsDeep({}, f, defaults);
+                fieldSpec = defaultsDeep({}, fieldSpec, defaults);
             }
 
-            return new this.defaultFieldClass(f);
+            return new this.defaultFieldClass(fieldSpec);
         });
 
         throwIf(

package/data/cube/Query.ts

@@ -109,7 +109,7 @@ export interface QueryConfig {
      *
      * This can be used to break selected aggregations into sub-groups dynamically, without having
      * to define another dimension in the Cube and have it apply to all aggregations. See the
-     * {@link BucketSpec} interface for additional information.
+     * {@link BucketSpecFn} type and {@link BucketSpec} interface for additional information.
      *
      * Defaults to {@link Cube.bucketSpecFn}.
      */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@xh/hoist",
-  "version": "77.0.0-SNAPSHOT.1761157373322",
+  "version": "77.0.0-SNAPSHOT.1761229417098",
   "description": "Hoist add-on for building and deploying React Applications.",
   "repository": "github:xh/hoist-react",
   "homepage": "https://xh.io",