boltdocs 1.11.0 → 2.0.0

package/src/node/routes/parser.ts

@@ -9,6 +9,8 @@ import {
   capitalize,
   stripNumberPrefix,
   extractNumberPrefix,
+  sanitizeHtml,
+  stripHtmlTags,
 } from '../utils'
 
 /**
@@ -118,47 +120,47 @@ export function parseDocFile(
 
   const isGroupIndex = parts.length >= 2 && /^index\.mdx?$/.test(cleanFileName)
 
-  const headings: { level: number; text: string; id: string }[] = []
   const slugger = new GithubSlugger()
+  const headings: { level: number; text: string; id: string }[] = []
   const headingsRegex = /^(#{2,4})\s+(.+)$/gm
+
   let match
   while ((match = headingsRegex.exec(content)) !== null) {
     const level = match[1].length
-    // Strip simple markdown formatting specifically for the plain-text search index
-    const text = match[2]
-      .replace(/\[([^\]]+)\]\([^\)]+\)/g, '$1')
-      .replace(/[_*`]/g, '')
-      .trim()
-    const id = slugger.slug(text)
-    // Security: Sanitize heading text for XSS
-    const sanitizedText = text
-      .replace(/<script\b[^>]*>([\s\S]*?)<\/script>/gim, '')
-      .replace(/<[^>]+on\w+="[^"]*"/gim, '')
-      .replace(/<img[^>]+>/gim, '')
+    const rawText = match[2]
+      .replace(/\[([^\]]+)\]\([^\)]+\)/g, '$1') // Strip markdown links
+      .replace(/[_*`]/g, '') // Strip markdown formatting
       .trim()
+
+    const sanitizedText = sanitizeHtml(rawText).trim()
+    const id = slugger.slug(sanitizedText)
+
     headings.push({ level, text: sanitizedText, id })
   }
 
-  const sanitize = (str: string) =>
-    str.replace(/<script\b[^>]*>([\s\S]*?)<\/script>/gim, '').trim()
-
-  const sanitizedTitle = data.title ? sanitize(data.title) : inferredTitle
-  let sanitizedDescription = data.description ? sanitize(data.description) : ''
+  const sanitizedTitle = data.title
+    ? sanitizeHtml(String(data.title))
+    : inferredTitle
+  let sanitizedDescription = data.description
+    ? sanitizeHtml(String(data.description))
+    : ''
 
   // If no description is provided, extract a summary from the content
   if (!sanitizedDescription && content) {
-    sanitizedDescription = sanitize(
+    const plainExcerpt = stripHtmlTags(
       content
         .replace(/^#+.*$/gm, '') // Remove headers
         .replace(/\[([^\]]+)\]\([^\)]+\)/g, '$1') // Simplify links
         .replace(/[_*`]/g, '') // Remove formatting
-        .replace(/\s+/g, ' ') // Normalize whitespace
-        .trim()
-        .slice(0, 160),
+        .replace(/\s+/g, ' '), // Normalize whitespace
     )
+      .trim()
+      .slice(0, 160)
+
+    sanitizedDescription = plainExcerpt
   }
 
-  const sanitizedBadge = data.badge ? sanitize(data.badge) : undefined
+  const sanitizedBadge = data.badge ? sanitizeHtml(String(data.badge)) : undefined
   const icon = data.icon ? String(data.icon) : undefined
 
   // Extract full content as plain text for search indexing
@@ -203,24 +205,17 @@ export function parseDocFile(
   }
 }
 
-/**
- * Sanitizes a string by removing script tags for basic XSS protection.
- */
-function sanitize(str: string): string {
-  return str.replace(/<script\b[^>]*>([\s\S]*?)<\/script>/gim, '').trim()
-}
-
 /**
  * Converts markdown content to plain text for search indexing.
  * Strips headers, links, tags, and formatting.
  */
 function parseContentToPlainText(content: string): string {
-  return content
+  const plainText = content
     .replace(/^#+.*$/gm, '') // Remove headers
     .replace(/\[([^\]]+)\]\([^\)]+\)/g, '$1') // Simplify links
-    .replace(/<[^>]+>/g, '') // Remove HTML/JSX tags
     .replace(/\{[^\}]+\}/g, '') // Remove JS expressions/curly braces
     .replace(/[_*`]/g, '') // Remove formatting
     .replace(/\s+/g, ' ') // Normalize whitespace
-    .trim()
+
+  return stripHtmlTags(plainText).trim()
 }

package/src/node/ssg/index.ts

@@ -39,8 +39,34 @@ export async function generateStaticPages(options: SSGOptions): Promise<void> {
     )
     return
   }
+
+  // Mock require so Node doesn't choke on virtual modules compiled externally
+  const Module = _require('module')
+  const originalRequire = Module.prototype.require
+  ;(Module.prototype as any).require = function (id: string, ...args: any[]) {
+    if (id === 'virtual:boltdocs-layout') {
+      return {
+        __esModule: true,
+        default: function SSG_Virtual_Layout(props: any) {
+          try {
+            const client = originalRequire.apply(this, [path.resolve(_dirname, '../client/index.js')])
+            const Comp = client.DefaultLayout || (({ children }: any) => children)
+            const React = originalRequire.apply(this, ['react'])
+            return React.createElement(Comp, props)
+          } catch (e) {
+            return props.children
+          }
+        }
+      }
+    }
+    return originalRequire.apply(this, [id, ...args])
+  }
+
   const { render } = _require(ssrModulePath)
 
+  // Restore require after loading the module
+  ;(Module.prototype as any).require = originalRequire
+
   // Read the built index.html as template
   const templatePath = path.join(outDir, 'index.html')
   if (!fs.existsSync(templatePath)) {
@@ -57,7 +83,7 @@ export async function generateStaticPages(options: SSGOptions): Promise<void> {
 
       // We mock the modules for SSR so it doesn't crash trying to dynamically import
       const fakeModules: Record<string, any> = {}
-      fakeModules[route.componentPath] = { default: () => {} } // Mock MDX component
+      fakeModules[`/${docsDirName}/${route.filePath}`] = { default: () => null } // Mock MDX component
 
       try {
         const appHtml = await render({
@@ -83,8 +109,8 @@ export async function generateStaticPages(options: SSGOptions): Promise<void> {
           html,
           'utf-8',
         )
-      } catch (e) {
-        console.error(`[boltdocs] Error SSR rendering route ${route.path}:`, e)
+      } catch (e: any) {
+        console.error(`[boltdocs] Error SSR rendering route ${route.path}:`, e ? e.stack || e : e)
       }
     }),
   )

package/src/node/utils.ts

@@ -1,5 +1,6 @@
 import fs from 'fs'
 import matter from 'gray-matter'
+import DOMPurify from 'isomorphic-dompurify'
 
 /**
  * Normalizes a file path by replacing Windows backslashes with forward slashes.
@@ -136,6 +137,28 @@ export function fileToRoutePath(relativePath: string): string {
   return routePath
 }
 
+/**
+ * Sanitizes an HTML string using DOMPurify to prevent XSS.
+ * By default, it allows a safe subset of HTML tags.
+ *
+ * @param html - The raw HTML string
+ * @returns The sanitized HTML
+ */
+export function sanitizeHtml(html: string): string {
+  return DOMPurify.sanitize(html)
+}
+
+/**
+ * Strips all HTML tags from a string, returning only the text content.
+ * Uses DOMPurify for secure and complete tag removal.
+ *
+ * @param html - The string containing HTML tags
+ * @returns The plain text content
+ */
+export function stripHtmlTags(html: string): string {
+  return DOMPurify.sanitize(html, { ALLOWED_TAGS: [], KEEP_CONTENT: true })
+}
+
 /**
  * Capitalizes the first letter of a given string.
  * Used primarily for generating default group titles.