flux-md 0.14.0 → 0.15.1

package/CHANGELOG.md

@@ -4,6 +4,109 @@ Notable changes to flux-md. Format based on
 [Keep a Changelog](https://keepachangelog.com/); this project aims to follow
 [Semantic Versioning](https://semver.org/).
 
+## 0.15.1 — 2026-06-22
+
+### Security
+
+- **XSS — dangerous-scheme autolinks are neutralized.** A CommonMark URI autolink
+  (`<javascript:alert(1)>`, `<vbscript:…>`, `<file:…>`) previously emitted a live
+  `href`, because autolinks bypassed the scheme allowlist that regular links go
+  through. They now route through the same decode-stable dangerous-scheme filter:
+  the `href` becomes `#` while the visible link text is unchanged. `file:` is now
+  blocked everywhere (links, autolinks, URL attributes) — it has no legitimate use
+  in rendered untrusted markdown and is a local-resource / phishing vector in
+  privileged contexts (Electron, extensions, `file://` origins).
+- **Component-tag / `htmlToReact` attribute hardening.** Sanitized attributes now
+  also drop React-meaningful names (`dangerouslySetInnerHTML`, `ref`, `key`,
+  `defaultValue`, `defaultChecked`, `suppressHydrationWarning`, …) so a hostile
+  attribute can't crash the render tree or smuggle in a prop. Attribute→prop
+  lookup maps are prototype-free (`Object.create(null)`), and only HTML / `data-`
+  / `aria-` attribute names are forwarded to React.
+
+### Fixed
+
+- **ReDoS / quadratic blow-ups on untrusted input.**
+  - Highlighter (`hi.ts`): the JS/TS regex-literal and bash double-quoted-string
+    patterns could backtrack quadratically on crafted code blocks; both rewritten
+    to linear forms, plus a 50 KB per-block size guard.
+  - URL scheme check: the decode-to-fixpoint loop (Rust `is_dangerous_scheme` and
+    JS `safeUrl`) is capped at 8 passes — still catches multi-encoded
+    `javascript&amp;amp;#58;` payloads, no longer O(n²) on `&amp;`-spam.
+  - Inline parser: nested / unbalanced link-bracket scanning is bounded
+    (depth + length caps); GFM extended-autolink trailing-paren trimming is now
+    linear instead of recounting the span each iteration.
+
+### Changed
+
+- **`flux-md/server` uses a literal `import("node:fs/promises")`** instead of a
+  variable specifier, resolving the `dynamicRequire` supply-chain signal. Behavior
+  is unchanged — still a Node-only, `file:`-guarded branch.
+- Added a **`## Security`** / supply-chain-transparency section to the README and a
+  documented **`socket.yml`** covering the inherent `nativeCode` / `networkAccess`
+  / `filesystemAccess` signals (the WebAssembly core and the opt-in
+  `<flux-markdown src>` fetch).
+
+### Performance
+
+- **No redundant re-renders / rebuilds on no-op updates.**
+  - `<flux-markdown>` ignores a `setAttribute` whose value didn't change (a host
+    framework re-applying identical attributes no longer tears down the self-owned
+    client and reparses the whole document), and the `components` / `sanitize`
+    property setters skip the remount when assigned the same identity.
+  - `FluxClient.reset()` no longer notifies subscribers when the store was already
+    empty — skips a wasted, output-identical render pass.
+  - Documented that `sanitize` (like `components`) should be memoized/hoisted in
+    React, so a fresh closure each render doesn't bust the per-block memo.
+- Added render-count / node-reuse / no-remount regression tests across the React,
+  DOM, store, custom-element, and Vue bindings, locking in that committed blocks
+  never re-render or rebuild as the stream grows (only the streaming tail does).
+
+### Known limitations
+
+- Streaming a single very large **unclosed** block (a multi-megabyte indented code
+  block, open HTML block, or footnote-disarmed list delivered across many chunks)
+  is still O(n²) in the uncommitted-tail length. A bounded incremental cache for
+  these resumable containers is tracked as follow-up; finalized / closed blocks and
+  all other inputs are unaffected.
+
+## 0.15.0 — 2026-06-17
+
+### Added
+
+- **Safe raw-HTML sanitizer (`htmlAllowlist` / `dropHtmlTags`)** — render a safe
+  subset of *inline* raw HTML (`<br>`, `<sub>`, `<sup>`, `<mark>`, …) **without**
+  `unsafeHtml`. Setting either list (even to `[]`) engages it: `htmlAllowlist`
+  non-empty renders only those tags (others escaped); **empty allows all tags
+  except a built-in, non-overridable dangerous set** (`script`, `style`,
+  `iframe`, `object`, `embed`, `form`, `svg`, `xmp`, `plaintext`, …);
+  `dropHtmlTags` removes tags entirely. Every rendered tag's attributes are
+  sanitized — `on*` handlers and `style` (a CSS beacon / clickjacking vector)
+  dropped, dangerous URL schemes (incl. multi-encoded) → `#`. Inline-scoped;
+  block-level raw HTML stays escaped. Matching is case-insensitive.
+
+### Fixed
+
+- **HTML comments are dropped instead of escaped to visible text.** `<!--mk:id-->`
+  (a common LLM marker) previously rendered as a literal `&lt;!--…--&gt;` run or a
+  `<pre><code>` block; it now has no visible representation, in every mode except
+  bare `unsafeHtml` pass-through (which keeps it verbatim for CommonMark fidelity —
+  the browser ignores it either way). A comment-led block with trailing content
+  keeps that content (only comment-*only* blocks are dropped).
+
+### Security
+
+- The dangerous-tag set is **non-overridable** (allowlisting `script`/`iframe`/`svg`
+  still drops them), `style` is stripped from every sanitized/component tag, and
+  raw-text elements (`xmp`/`plaintext`/`noembed`/`noframes`/`listing`) are blocked
+  in allow-all mode — closing CSS-exfiltration / clickjacking / DOM-corruption
+  vectors found in adversarial review. The React `htmlToReact` path mirrors the
+  `style` value-filter as defense-in-depth (safe declarations like `text-align`
+  still pass).
+
+Feature-off output is byte-identical except HTML comments now drop (the
+CommonMark/GFM suites run with `unsafeHtml` on, so the 652/GFM floors are
+unaffected).
+
 ## 0.14.0 — 2026-06-17
 
 ### Added

package/README.md

@@ -558,6 +558,8 @@ const client = new FluxClient({
     unsafeHtml: false,    // pass raw HTML through (default false — keep it false for untrusted input)
     componentTags: ["Thinking", "Callout"], // BLOCK custom tags w/ markdown inside (default none)
     inlineComponentTags: ["tik", "cite"],   // INLINE custom tags (chips/citations) w/ markdown inside (default none)
+    htmlAllowlist: ["br", "sub", "sup"],    // safe raw-HTML sanitizer: [] = allow all but dangerous; list = only those (default off)
+    dropHtmlTags: [],                        // tags removed entirely (comments always dropped when sanitizing; default off)
     blockData: true,      // opt-in structured kind.data per block (default false — see "Structured block data")
   },
 });
@@ -592,6 +594,9 @@ When to enable each flag:
 - `inlineComponentTags: ["tik", …]` — same idea for **inline** custom elements
   that sit inside a paragraph, heading, list item, or **table cell** (ticker
   chips, citations, `@mentions`). See [Inline component tags](#inline-component-tags).
+- `htmlAllowlist` / `dropHtmlTags` — render a **safe subset of raw HTML** (e.g.
+  `<br>`, `<sub>`, `<sup>`) natively without `unsafeHtml`, drop specific tags, and
+  drop HTML comments. See [Safe raw HTML](#safe-raw-html).
 
 **Footnotes** (`gfmFootnotes`) work in streaming with one honest caveat: a
 `[^1]` reference renders speculatively the moment it's seen (committed blocks
@@ -826,6 +831,37 @@ surrounding content.
 > renders inline-in-cells too — `inlineComponentTags` simply replaces that
 > workaround with first-class inline elements.
 
+### Safe raw HTML
+
+LLMs emit a little raw HTML — `<br>`, `<sub>`/`<sup>`, `<mark>`, and HTML comments
+as markers (`<!--mk:id-->`). `unsafeHtml` is all-or-nothing; instead opt into a
+**sanitizer** that renders a safe subset natively. Setting `htmlAllowlist` and/or
+`dropHtmlTags` (even to `[]`) engages it:
+
+```ts
+// Render only these inline tags; escape everything else:
+new FluxClient({ config: { htmlAllowlist: ["br", "sub", "sup", "mark"] } });
+
+// Or allow everything except a built-in dangerous set:
+new FluxClient({ config: { htmlAllowlist: [] } });
+```
+
+- **HTML comments are dropped** — no more `<!--mk:id-->` surfacing as escaped text
+  — in every mode except bare `unsafeHtml` pass-through.
+- **`htmlAllowlist: ["br", …]`** renders only those inline tags; everything else is
+  escaped. **`htmlAllowlist: []`** (empty) allows *all* tags **except a built-in
+  dangerous set** (`script`, `style`, `iframe`, `object`, `embed`, `form`, `svg`,
+  `xmp`, `plaintext`, … — **non-overridable**: allowlisting one still drops it).
+- **`dropHtmlTags: ["mk", …]`** removes those tags entirely (markup gone; inner
+  text stays as inert text).
+- Every rendered tag's **attributes are sanitized**: `on*` handlers and `style`
+  (a CSS beacon / clickjacking vector) are dropped, and dangerous URL schemes
+  (`javascript:`, …, including multi-encoded) become `#`.
+- **Scope:** *inline* raw HTML. Block-level raw HTML stays escaped for now (use
+  `unsafeHtml` **without** the sanitizer to render block HTML — when the sanitizer
+  is engaged, block HTML stays escaped even if `unsafeHtml` is also on). Tag
+  matching is case-insensitive.
+
 ### Types
 
 ```ts
@@ -959,6 +995,43 @@ genuinely hostile content where CSS-overlay/clickjacking matters, render inside
 a sandboxed `<iframe>` instead — sanitization stops injection, not every
 visual-overlay trick.
 
+### Supply-chain transparency
+
+flux-md is **zero runtime dependency** — no third-party packages are pulled in
+at runtime. The parsing core is Rust compiled to WebAssembly, reproducibly
+buildable from `crates/flux-md-core/` via `bun run build:wasm`.
+
+**Native code (WebAssembly).** The shipped `flux_md_core_bg.wasm` (~200 KB) is
+first-party, built from the Rust source in this repo, and runs inside a sandboxed
+Web Worker (browser) or Node worker thread. Supply-chain scanners such as
+[Socket.dev](https://socket.dev) will flag it as `nativeCode` — this is accurate
+and expected. The WASM is not a vendored third-party binary; it is reproducible
+from source.
+
+**Network access.** flux-md performs network I/O in exactly two scenarios, both
+caller-driven:
+
+- `<flux-markdown src="URL">` — the Web Component fetches the URL you supply and
+  streams the response. No URL is ever chosen by flux-md itself.
+- The wasm-bindgen glue (`wasm/flux_md_core.js`) loads the co-located `.wasm`
+  asset via `fetch(new URL("…_bg.wasm", import.meta.url))` — bundlers resolve
+  this to a local build artifact, not a remote endpoint.
+
+flux-md has no telemetry, no analytics, and no first-party remote endpoints.
+Socket will flag the `networkAccess` signal — it is accurate and expected. In
+privileged contexts (browser extensions, Electron, environments where the
+same-origin policy may not apply), treat the `src` attribute value as you would
+any external URL and allowlist it in your CSP / security policy.
+
+**Filesystem access (Node/SSR only).** `flux-md/server` reads the package's
+own `.wasm` file off disk on Node.js (Node's `fetch` cannot load `file://`
+URLs). This is a Node-only path; it reads only the package-internal asset and
+never touches caller-supplied paths. Socket will flag `filesystemAccess` — also
+accurate and expected.
+
+The `socket.yml` at the repository root documents these signals with their
+justifications for Socket's GitHub app.
+
 ## Scaling
 
 `FluxClient`s share a **worker pool** (`getDefaultPool()`), so concurrency

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "flux-md",
-  "version": "0.14.0",
+  "version": "0.15.1",
   "description": "Zero-dep streaming markdown for the browser. Rust→WASM core, Web Worker per stream, incremental parse with speculative closure.",
   "type": "module",
   "sideEffects": ["./src/worker.ts", "./src/styles.css"],

package/src/client.ts

@@ -271,6 +271,15 @@ export function getDefaultPool(): FluxPool {
   return defaultPool;
 }
 
+/** TEST-ONLY: drop the process-wide default pool so the next {@link getDefaultPool}
+ *  rebuilds it (lazily, with the current global `Worker`). Lets a test file that
+ *  drives the default pool start from a clean, deterministic state regardless of
+ *  which other file warmed it first in bun's shared test process. Not part of the
+ *  public API and a no-op for normal runtime use. */
+export function __resetDefaultPool(): void {
+  defaultPool = null;
+}
+
 // --------------------------------------------------------------------------
 // Client
 // --------------------------------------------------------------------------
@@ -514,6 +523,11 @@ export class FluxClient {
   }
 
   reset() {
+    // Only notify subscribers if there was content to clear: resetting an
+    // already-empty store leaves the view empty either way, so skip the no-op
+    // emit (which would otherwise drive every subscriber through a wasted,
+    // output-identical render pass).
+    const hadContent = this.store.snapshot.length > 0;
     this.store = emptyBlockStore();
     this.appendedBytes = 0;
     this.patchCount = 0;
@@ -527,7 +541,7 @@ export class FluxClient {
     // Same streamId + worker — the worker frees and lazily recreates the parser.
     const pw = this.ensureAcquired();
     this.pool.send(pw, { type: "reset", streamId: this.streamId });
-    this.emit();
+    if (hadContent) this.emit();
   }
 
   destroy() {

package/src/element.ts

@@ -90,6 +90,7 @@ export function defineFluxMarkdown(tag = "flux-markdown"): void {
       return this.#components;
     }
     set components(value: DomComponents | undefined) {
+      if (value === this.#components) return; // no-op re-assign: don't remount
       this.#components = value;
       if (this.#connected) this.#remount();
     }
@@ -98,6 +99,7 @@ export function defineFluxMarkdown(tag = "flux-markdown"): void {
       return this.#sanitize;
     }
     set sanitize(value: ((html: string) => string) | undefined) {
+      if (value === this.#sanitize) return; // no-op re-assign: don't remount
       this.#sanitize = value;
       if (this.#connected) this.#remount();
     }
@@ -155,10 +157,16 @@ export function defineFluxMarkdown(tag = "flux-markdown"): void {
       }
     }
 
-    attributeChangedCallback(name: string, _old: string | null, _new: string | null): void {
+    attributeChangedCallback(name: string, oldValue: string | null, newValue: string | null): void {
       // attributeChangedCallback fires before connectedCallback for attributes
       // present at upgrade; ignore until connected so config reads happen once.
       if (!this.#connected) return;
+      // setAttribute fires this on EVERY set, including setting an attribute to
+      // its current value (common when a host framework re-applies the same
+      // attrs on re-render). A no-op value change must not tear down the client
+      // and reparse the whole document — only a genuine change proceeds.
+      // (Attribute removal yields null, distinct from an empty string.)
+      if (oldValue === newValue) return;
 
       if (name === "markdown" || name === "src") {
         // One-shot content source change — only for a self-owned client. A

package/src/hi.ts

@@ -55,7 +55,7 @@ const jsPats: Pat[] = [
   ["str", /"(?:\\.|[^"\\\n])*"/y],
   ["str", /'(?:\\.|[^'\\\n])*'/y],
   ["str", /`(?:\\.|[^`\\])*`/y],
-  ["rx", /\/(?:\\.|\[(?:\\.|[^\]\\])*\]|[^/\\\n])+\/[gimsuy]*/y],
+  ["rx", /\/(?![*/])(?:\\.|[^/\\\n])+\/[gimsuy]*/y],
   ["num", /\b(?:0x[\da-fA-F_]+|0b[01_]+|0o[0-7_]+|\d[\d_]*(?:\.\d[\d_]*)?(?:[eE][+-]?\d+)?)\b/y],
   ["ident", /[A-Za-z_$][\w$]*/y],
   ["pun", /[+\-*/=<>!&|^~?:;,.[\](){}]/y],
@@ -103,7 +103,7 @@ const goPats: Pat[] = [
 
 const bashPats: Pat[] = [
   ["com", /#[^\n]*/y],
-  ["str", /"(?:\\.|\$\([^)]*\)|[^"\\])*"/y],
+  ["str", /"(?:\\.|[^"\\])*"/y],
   ["str", /'[^']*'/y],
   ["var", /\$\{[^}]+\}|\$\w+|\$[*@#?!$0-9]/y],
   ["num", /\b\d+\b/y],
@@ -187,6 +187,9 @@ function escapeHtml(s: string): string {
 }
 
 export function highlight(code: string, lang: string): string {
+  // Defense-in-depth: never tokenize a pathologically huge block on the main
+  // thread — fall back to plain escaped text.
+  if (code.length > 50_000) return escapeHtml(code);
   const conf = LANGS[lang.toLowerCase()];
   if (!conf) return escapeHtml(code);
 

package/src/html-to-react.ts

@@ -10,7 +10,10 @@ const VOID = new Set([
 // Attribute name → React prop name, for the handful that differ. Anything not
 // listed passes through verbatim (React forwards data-*/aria-* and lowercase
 // attributes unchanged).
-const ATTR_MAP: Record<string, string> = {
+// Prototype-free map so an attribute named `constructor`/`hasOwnProperty`/etc.
+// returns undefined (and the `?? name` fallback fires) rather than resolving to
+// an inherited Object.prototype member.
+const ATTR_MAP: Record<string, string> = Object.assign(Object.create(null), {
   class: "className",
   for: "htmlFor",
   colspan: "colSpan",
@@ -26,7 +29,7 @@ const ATTR_MAP: Record<string, string> = {
   crossorigin: "crossOrigin",
   enterkeyhint: "enterKeyHint",
   inputmode: "inputMode",
-};
+});
 
 // URL-bearing attributes whose value must be scheme-checked. `htmlToReact` is
 // exported and may be handed untrusted HTML directly; React happily renders a
@@ -34,6 +37,19 @@ const ATTR_MAP: Record<string, string> = {
 // defense-in-depth — the core's own output is already sanitized.
 const URL_ATTRS = new Set(["href", "src", "xlink:href", "formaction", "action", "poster", "data"]);
 
+// React-meaningful prop names that must never be forwarded from (possibly
+// untrusted) HTML attributes: `dangerouslySetInnerHTML` as a prop crashes the
+// whole render tree (DoS), and ref/key/defaultValue/etc. are injectable.
+const PROP_DENY = new Set([
+  "dangerouslysetinnerhtml", "ref", "key", "defaultvalue", "defaultchecked",
+  "suppresshydrationwarning", "suppresscontenteditablewarning",
+]);
+
+// Only forward attribute names that are a plain HTML attribute identifier
+// (so camelCase / `__proto__` / `constructor` never reach React props). The
+// explicit ATTR_MAP renames and `xlink:href` are allowed past this gate.
+const SAFE_ATTR_NAME = /^[a-z][a-z0-9-]*$/i;
+
 /** Replace a dangerous-scheme URL with "#". Mirrors the Rust `is_dangerous_scheme`:
  *  strip control chars (C0, DEL, C1 — matching Rust char::is_control),
  *  lowercase, then match. The strip affects only the probe, never output. */
@@ -42,8 +58,10 @@ function safeUrl(value: string): string {
   // reaches the DOM, so peel layers to a fixpoint before the scheme check —
   // catches `javascript&#58;` and double-encoded `javascript&amp;#58;`. Only the
   // probe is decoded; the returned value is untouched (safe URLs stay verbatim).
+  // Cap at 8 iterations: far beyond any legit URL (browsers entity-decode an
+  // href once), and bounds the loop so a hostile value can't make it quadratic.
   let decoded = value;
-  for (let prev = ""; decoded !== prev; ) {
+  for (let i = 0, prev = ""; i < 8 && decoded !== prev; i++) {
     prev = decoded;
     decoded = decodeEntities(decoded);
   }
@@ -110,6 +128,27 @@ export function parseStyle(css: string): Record<string, string> {
   return out;
 }
 
+// CSS values that beacon/exfiltrate (`url(`), execute (legacy `expression(`,
+// `-moz-binding`, `behavior:`), or pull external resources (`@import`,
+// `image-set(`). Defense-in-depth: the core sanitizer already drops `style`, but
+// `htmlToReact` is exported and may be handed untrusted HTML directly.
+const DANGEROUS_CSS_VALUE = /url\(|expression\(|image-set\(|-moz-binding|@import|behavior\s*:/i;
+
+/** Strip CSS declarations that can beacon/exfiltrate, execute, or overlay the
+ *  viewport (`position: fixed/sticky` → clickjacking). Safe declarations
+ *  (`text-align`, `color`, …) — including flux's own table-alignment style —
+ *  pass through untouched. */
+function safeStyle(style: Record<string, string>): Record<string, string> {
+  const out: Record<string, string> = {};
+  for (const k in style) {
+    const v = style[k];
+    if (DANGEROUS_CSS_VALUE.test(v)) continue;
+    if (k.toLowerCase() === "position" && /\b(?:fixed|sticky)\b/i.test(v)) continue;
+    out[k] = v;
+  }
+  return out;
+}
+
 /** Parse one opening tag starting at `start` (the `<`). */
 function parseOpenTag(html: string, start: number) {
   let i = start + 1;
@@ -244,8 +283,11 @@ function attrsToProps(tag: string, attrs: Record<string, string | true>, key: st
     // React drops most lowercase `on*` attrs — this also covers casings and
     // future React behavior.
     if (lower.startsWith("on")) continue;
+    // Reject React-meaningful names that would crash the render tree or inject
+    // internals (dangerouslySetInnerHTML, ref, key, defaultValue, …).
+    if (PROP_DENY.has(lower)) continue;
     if (lower === "style" && typeof value === "string") {
-      props.style = parseStyle(value);
+      props.style = safeStyle(parseStyle(value));
       continue;
     }
     // Neutralize dangerous-scheme URLs (javascript:, vbscript:, data:text/html).
@@ -259,6 +301,10 @@ function attrsToProps(tag: string, attrs: Record<string, string | true>, key: st
       props.defaultChecked = value === true ? true : value;
       continue;
     }
+    // Restrict forwarded ORIGINAL names to a plain HTML attribute identifier
+    // (plus the ATTR_MAP renames and xlink:href handled above) so weird casings
+    // / `__proto__` / `constructor` can never become a React prop.
+    if (!(lower in ATTR_MAP) && !SAFE_ATTR_NAME.test(name)) continue;
     props[ATTR_MAP[lower] ?? name] = value;
   }
   return props;

package/src/react.tsx

@@ -100,6 +100,10 @@ interface FluxMarkdownProps {
    * `unsafeHtml` on. flux-md stays zero-dep — you bring the sanitizer. The
    * built-in code/math renderers operate on already-escaped content and are not
    * run through it. When omitted, rendering is byte-identical and zero-cost.
+   *
+   * **Memoize / hoist this** (same trap as `components`): a fresh closure each
+   * render busts the per-block memo, so every block re-sanitizes and re-parses
+   * on every patch instead of only the streaming tail.
    */
   sanitize?: (html: string) => string;
   /** Appended to the root's `className` (the `flux-md` class is always present). */
@@ -362,14 +366,40 @@ export function blockKindProps(block: Block, components?: Components): BlockComp
   return props;
 }
 
-const REACT_ATTR_NAME: Record<string, string> = { class: "className", for: "htmlFor" };
+// Prototype-free so a key like `constructor`/`hasOwnProperty` returns undefined
+// (and the `?? k` fallback fires) instead of an inherited Object.prototype member.
+const REACT_ATTR_NAME: Record<string, string> = Object.assign(Object.create(null), {
+  class: "className",
+  for: "htmlFor",
+});
+
+// React-meaningful prop names that must never survive into a user override's
+// attrs object (dangerouslySetInnerHTML crashes the render tree; ref/key/etc.
+// inject internals). Mirrors html-to-react's PROP_DENY.
+const ATTR_DENY = new Set([
+  "dangerouslysetinnerhtml", "ref", "key", "defaultvalue", "defaultchecked",
+  "suppresshydrationwarning", "suppresscontenteditablewarning",
+]);
+
+// Forward only plain HTML attribute identifiers (the REACT_ATTR_NAME renames
+// pass too), so weird casings / `__proto__` / `constructor` never reach a prop.
+const SAFE_ATTR_NAME = /^[a-z][a-z0-9-]*$/i;
 
 /** Convert sanitized HTML attribute pairs into a React-spreadable object,
  *  renaming the two names React requires (`class`→`className`, `for`→`htmlFor`).
- *  Other names (including `data-*` / `aria-*`) pass through unchanged. */
+ *  Other names (including `data-*` / `aria-*`) pass through unchanged. Drops
+ *  inline event handlers and React-meaningful/unsafe names as defense-in-depth
+ *  (the Rust `sanitize_attrs` is the primary gate; this keeps the React layer
+ *  safe on its own when attrs are handed to user override components). */
 function reactAttrs(pairs: [string, string][]): Record<string, string> {
   const out: Record<string, string> = {};
-  for (const [k, v] of pairs) out[REACT_ATTR_NAME[k] ?? k] = v;
+  for (const [k, v] of pairs) {
+    const lower = k.toLowerCase();
+    if (lower.startsWith("on")) continue;
+    if (ATTR_DENY.has(lower)) continue;
+    if (!(lower in REACT_ATTR_NAME) && !SAFE_ATTR_NAME.test(k)) continue;
+    out[REACT_ATTR_NAME[lower] ?? k] = v;
+  }
   return out;
 }
 

package/src/server.tsx

@@ -58,11 +58,11 @@ export function initFlux(opts?: { wasm?: BufferSource | WebAssembly.Module }): P
     initPromise = (async () => {
       const wasmUrl = new URL("./wasm/flux_md_core_bg.wasm", import.meta.url);
       if (wasmUrl.protocol === "file:") {
-        // Node: read the bytes (Node's fetch can't load file://). A non-literal
-        // specifier keeps `node:fs` out of web bundles and off tsc's module graph
-        // (no @types/node needed to compile this source).
-        const nodeFs = "node:fs/promises";
-        const { readFile } = await import(nodeFs);
+        // Node: read the bytes (Node's fetch can't load file://). The literal
+        // `node:` specifier is externalized by bundlers, so node:fs never reaches
+        // a web bundle (this branch is also file:-only, never true in browsers).
+        // @ts-ignore — no @types/node in this package; node:fs/promises is a builtin.
+        const { readFile } = await import("node:fs/promises");
         initFluxSync(await readFile(wasmUrl));
       } else {
         await initWasmAsync({ module_or_path: wasmUrl });
@@ -87,6 +87,12 @@ function makeParser(config?: ParserConfig): FluxParser {
   p.setUnsafeHtml(config?.unsafeHtml ?? false);
   p.setComponentTags(config?.componentTags ?? []);
   p.setInlineComponentTags(config?.inlineComponentTags ?? []);
+  // Engage the safe raw-HTML sanitizer when either list is provided (even []).
+  p.setHtmlSanitize(
+    config?.htmlAllowlist !== undefined || config?.dropHtmlTags !== undefined,
+    config?.htmlAllowlist ?? [],
+    config?.dropHtmlTags ?? [],
+  );
   p.setBlockData(config?.blockData ?? false);
   return p;
 }

package/src/types-core.ts

@@ -261,6 +261,26 @@ export interface ParserConfig {
    * `componentTags`. Empty/omitted = off.
    */
   inlineComponentTags?: string[];
+  /**
+   * Opt-in **safe raw-HTML allowlist**. Setting this (even to `[]`) engages a
+   * sanitizer that renders a safe subset of *inline* raw HTML **without**
+   * `unsafeHtml`: an **empty** array means "allow all tags except a built-in
+   * dangerous set" (`script`, `style`, `iframe`, `object`, `embed`, `form`,
+   * `input`, `svg`, …); a **non-empty** array renders only those tags (e.g.
+   * `["br","sub","sup"]`) and escapes the rest. Every rendered tag's attributes
+   * are sanitized (event handlers dropped, dangerous URL schemes → `#`), and HTML
+   * comments are dropped. Block-level raw HTML stays escaped (sanitize is
+   * inline-scoped for now). Unset/omitted = off (raw HTML handling unchanged).
+   * Matching is case-insensitive. See also {@link dropHtmlTags}.
+   */
+  htmlAllowlist?: string[];
+  /**
+   * Tags removed entirely (markup dropped; any text between an open/close pair
+   * stays as inert text) — e.g. app marker tags, or belt-and-suspenders
+   * `["script","style"]`. Setting this (even to `[]`) also engages the safe
+   * raw-HTML sanitizer (see {@link htmlAllowlist}). Case-insensitive.
+   */
+  dropHtmlTags?: string[];
   /**
    * Opt-in structured table data. When on, a `Table` block's `kind.data` is
    * populated with `{ headers, rows, aligns }` (each cell `{ text, html }`) so a

package/src/wasm/flux_md_core.d.ts

@@ -71,6 +71,15 @@ export class FluxParser {
      * `<div class="math math-display">` for a KaTeX pass on the JS side.
      */
     setGfmMath(on: boolean): void;
+    /**
+     * Engage the safe raw-HTML sanitizer. When `on`, inline raw HTML renders
+     * sanitized without full unsafe HTML: `allow` empty = allow all tags except
+     * a built-in dangerous set (`script`, `style`, `iframe`, …); `allow`
+     * non-empty = only those render (others escaped); `drop` tags are removed
+     * entirely; HTML comments are dropped; every rendered tag's attributes are
+     * sanitized. Off by default (raw-HTML handling unchanged).
+     */
+    setHtmlSanitize(on: boolean, allow: string[], drop: string[]): void;
     /**
      * Set the opt-in INLINE component-tag allowlist (e.g. `["tik", "cite"]`).
      * An allowlisted inline `<tik>…</tik>` (or self-closing `<tik/>`) renders as
@@ -105,6 +114,7 @@ export interface InitOutput {
     readonly fluxparser_setGfmAutolinks: (a: number, b: number) => void;
     readonly fluxparser_setGfmFootnotes: (a: number, b: number) => void;
     readonly fluxparser_setGfmMath: (a: number, b: number) => void;
+    readonly fluxparser_setHtmlSanitize: (a: number, b: number, c: number, d: number, e: number, f: number) => void;
     readonly fluxparser_setInlineComponentTags: (a: number, b: number, c: number) => void;
     readonly fluxparser_setUnsafeHtml: (a: number, b: number) => void;
     readonly __wbindgen_export: (a: number, b: number) => number;

package/src/wasm/flux_md_core.js

@@ -171,6 +171,24 @@ export class FluxParser {
     setGfmMath(on) {
         wasm.fluxparser_setGfmMath(this.__wbg_ptr, on);
     }
+    /**
+     * Engage the safe raw-HTML sanitizer. When `on`, inline raw HTML renders
+     * sanitized without full unsafe HTML: `allow` empty = allow all tags except
+     * a built-in dangerous set (`script`, `style`, `iframe`, …); `allow`
+     * non-empty = only those render (others escaped); `drop` tags are removed
+     * entirely; HTML comments are dropped; every rendered tag's attributes are
+     * sanitized. Off by default (raw-HTML handling unchanged).
+     * @param {boolean} on
+     * @param {string[]} allow
+     * @param {string[]} drop
+     */
+    setHtmlSanitize(on, allow, drop) {
+        const ptr0 = passArrayJsValueToWasm0(allow, wasm.__wbindgen_export);
+        const len0 = WASM_VECTOR_LEN;
+        const ptr1 = passArrayJsValueToWasm0(drop, wasm.__wbindgen_export);
+        const len1 = WASM_VECTOR_LEN;
+        wasm.fluxparser_setHtmlSanitize(this.__wbg_ptr, on, ptr0, len0, ptr1, len1);
+    }
     /**
      * Set the opt-in INLINE component-tag allowlist (e.g. `["tik", "cite"]`).
      * An allowlisted inline `<tik>…</tik>` (or self-closing `<tik/>`) renders as

package/src/wasm/flux_md_core_bg.wasm.d.ts

@@ -16,6 +16,7 @@ export const fluxparser_setGfmAlerts: (a: number, b: number) => void;
 export const fluxparser_setGfmAutolinks: (a: number, b: number) => void;
 export const fluxparser_setGfmFootnotes: (a: number, b: number) => void;
 export const fluxparser_setGfmMath: (a: number, b: number) => void;
+export const fluxparser_setHtmlSanitize: (a: number, b: number, c: number, d: number, e: number, f: number) => void;
 export const fluxparser_setInlineComponentTags: (a: number, b: number, c: number) => void;
 export const fluxparser_setUnsafeHtml: (a: number, b: number) => void;
 export const __wbindgen_export: (a: number, b: number) => number;

package/src/wasm/package.json

@@ -2,7 +2,7 @@
   "name": "flux-md-core",
   "type": "module",
   "description": "Incremental, streaming-aware markdown parser with speculative closure",
-  "version": "0.14.0",
+  "version": "0.15.0",
   "license": "MIT",
   "files": [
     "flux_md_core_bg.wasm",

package/src/worker.ts

@@ -31,6 +31,12 @@ const core = new WorkerCore({
     p.setUnsafeHtml(c?.unsafeHtml ?? false);
     p.setComponentTags(c?.componentTags ?? []);
     p.setInlineComponentTags(c?.inlineComponentTags ?? []);
+    // Engage the safe raw-HTML sanitizer when either list is provided (even []).
+    p.setHtmlSanitize(
+      c?.htmlAllowlist !== undefined || c?.dropHtmlTags !== undefined,
+      c?.htmlAllowlist ?? [],
+      c?.dropHtmlTags ?? [],
+    );
     p.setBlockData(c?.blockData ?? false);
     return p;
   },