flux-md 0.15.0 → 0.15.1

package/CHANGELOG.md

@@ -4,6 +4,71 @@ Notable changes to flux-md. Format based on
 [Keep a Changelog](https://keepachangelog.com/); this project aims to follow
 [Semantic Versioning](https://semver.org/).
 
+## 0.15.1 — 2026-06-22
+
+### Security
+
+- **XSS — dangerous-scheme autolinks are neutralized.** A CommonMark URI autolink
+  (`<javascript:alert(1)>`, `<vbscript:…>`, `<file:…>`) previously emitted a live
+  `href`, because autolinks bypassed the scheme allowlist that regular links go
+  through. They now route through the same decode-stable dangerous-scheme filter:
+  the `href` becomes `#` while the visible link text is unchanged. `file:` is now
+  blocked everywhere (links, autolinks, URL attributes) — it has no legitimate use
+  in rendered untrusted markdown and is a local-resource / phishing vector in
+  privileged contexts (Electron, extensions, `file://` origins).
+- **Component-tag / `htmlToReact` attribute hardening.** Sanitized attributes now
+  also drop React-meaningful names (`dangerouslySetInnerHTML`, `ref`, `key`,
+  `defaultValue`, `defaultChecked`, `suppressHydrationWarning`, …) so a hostile
+  attribute can't crash the render tree or smuggle in a prop. Attribute→prop
+  lookup maps are prototype-free (`Object.create(null)`), and only HTML / `data-`
+  / `aria-` attribute names are forwarded to React.
+
+### Fixed
+
+- **ReDoS / quadratic blow-ups on untrusted input.**
+  - Highlighter (`hi.ts`): the JS/TS regex-literal and bash double-quoted-string
+    patterns could backtrack quadratically on crafted code blocks; both rewritten
+    to linear forms, plus a 50 KB per-block size guard.
+  - URL scheme check: the decode-to-fixpoint loop (Rust `is_dangerous_scheme` and
+    JS `safeUrl`) is capped at 8 passes — still catches multi-encoded
+    `javascript&amp;amp;#58;` payloads, no longer O(n²) on `&amp;`-spam.
+  - Inline parser: nested / unbalanced link-bracket scanning is bounded
+    (depth + length caps); GFM extended-autolink trailing-paren trimming is now
+    linear instead of recounting the span each iteration.
+
+### Changed
+
+- **`flux-md/server` uses a literal `import("node:fs/promises")`** instead of a
+  variable specifier, resolving the `dynamicRequire` supply-chain signal. Behavior
+  is unchanged — still a Node-only, `file:`-guarded branch.
+- Added a **`## Security`** / supply-chain-transparency section to the README and a
+  documented **`socket.yml`** covering the inherent `nativeCode` / `networkAccess`
+  / `filesystemAccess` signals (the WebAssembly core and the opt-in
+  `<flux-markdown src>` fetch).
+
+### Performance
+
+- **No redundant re-renders / rebuilds on no-op updates.**
+  - `<flux-markdown>` ignores a `setAttribute` whose value didn't change (a host
+    framework re-applying identical attributes no longer tears down the self-owned
+    client and reparses the whole document), and the `components` / `sanitize`
+    property setters skip the remount when assigned the same identity.
+  - `FluxClient.reset()` no longer notifies subscribers when the store was already
+    empty — skips a wasted, output-identical render pass.
+  - Documented that `sanitize` (like `components`) should be memoized/hoisted in
+    React, so a fresh closure each render doesn't bust the per-block memo.
+- Added render-count / node-reuse / no-remount regression tests across the React,
+  DOM, store, custom-element, and Vue bindings, locking in that committed blocks
+  never re-render or rebuild as the stream grows (only the streaming tail does).
+
+### Known limitations
+
+- Streaming a single very large **unclosed** block (a multi-megabyte indented code
+  block, open HTML block, or footnote-disarmed list delivered across many chunks)
+  is still O(n²) in the uncommitted-tail length. A bounded incremental cache for
+  these resumable containers is tracked as follow-up; finalized / closed blocks and
+  all other inputs are unaffected.
+
 ## 0.15.0 — 2026-06-17
 
 ### Added

package/README.md

@@ -995,6 +995,43 @@ genuinely hostile content where CSS-overlay/clickjacking matters, render inside
 a sandboxed `<iframe>` instead — sanitization stops injection, not every
 visual-overlay trick.
 
+### Supply-chain transparency
+
+flux-md is **zero runtime dependency** — no third-party packages are pulled in
+at runtime. The parsing core is Rust compiled to WebAssembly, reproducibly
+buildable from `crates/flux-md-core/` via `bun run build:wasm`.
+
+**Native code (WebAssembly).** The shipped `flux_md_core_bg.wasm` (~200 KB) is
+first-party, built from the Rust source in this repo, and runs inside a sandboxed
+Web Worker (browser) or Node worker thread. Supply-chain scanners such as
+[Socket.dev](https://socket.dev) will flag it as `nativeCode` — this is accurate
+and expected. The WASM is not a vendored third-party binary; it is reproducible
+from source.
+
+**Network access.** flux-md performs network I/O in exactly two scenarios, both
+caller-driven:
+
+- `<flux-markdown src="URL">` — the Web Component fetches the URL you supply and
+  streams the response. No URL is ever chosen by flux-md itself.
+- The wasm-bindgen glue (`wasm/flux_md_core.js`) loads the co-located `.wasm`
+  asset via `fetch(new URL("…_bg.wasm", import.meta.url))` — bundlers resolve
+  this to a local build artifact, not a remote endpoint.
+
+flux-md has no telemetry, no analytics, and no first-party remote endpoints.
+Socket will flag the `networkAccess` signal — it is accurate and expected. In
+privileged contexts (browser extensions, Electron, environments where the
+same-origin policy may not apply), treat the `src` attribute value as you would
+any external URL and allowlist it in your CSP / security policy.
+
+**Filesystem access (Node/SSR only).** `flux-md/server` reads the package's
+own `.wasm` file off disk on Node.js (Node's `fetch` cannot load `file://`
+URLs). This is a Node-only path; it reads only the package-internal asset and
+never touches caller-supplied paths. Socket will flag `filesystemAccess` — also
+accurate and expected.
+
+The `socket.yml` at the repository root documents these signals with their
+justifications for Socket's GitHub app.
+
 ## Scaling
 
 `FluxClient`s share a **worker pool** (`getDefaultPool()`), so concurrency

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "flux-md",
-  "version": "0.15.0",
+  "version": "0.15.1",
   "description": "Zero-dep streaming markdown for the browser. Rust→WASM core, Web Worker per stream, incremental parse with speculative closure.",
   "type": "module",
   "sideEffects": ["./src/worker.ts", "./src/styles.css"],

package/src/client.ts

@@ -271,6 +271,15 @@ export function getDefaultPool(): FluxPool {
   return defaultPool;
 }
 
+/** TEST-ONLY: drop the process-wide default pool so the next {@link getDefaultPool}
+ *  rebuilds it (lazily, with the current global `Worker`). Lets a test file that
+ *  drives the default pool start from a clean, deterministic state regardless of
+ *  which other file warmed it first in bun's shared test process. Not part of the
+ *  public API and a no-op for normal runtime use. */
+export function __resetDefaultPool(): void {
+  defaultPool = null;
+}
+
 // --------------------------------------------------------------------------
 // Client
 // --------------------------------------------------------------------------
@@ -514,6 +523,11 @@ export class FluxClient {
   }
 
   reset() {
+    // Only notify subscribers if there was content to clear: resetting an
+    // already-empty store leaves the view empty either way, so skip the no-op
+    // emit (which would otherwise drive every subscriber through a wasted,
+    // output-identical render pass).
+    const hadContent = this.store.snapshot.length > 0;
     this.store = emptyBlockStore();
     this.appendedBytes = 0;
     this.patchCount = 0;
@@ -527,7 +541,7 @@ export class FluxClient {
     // Same streamId + worker — the worker frees and lazily recreates the parser.
     const pw = this.ensureAcquired();
     this.pool.send(pw, { type: "reset", streamId: this.streamId });
-    this.emit();
+    if (hadContent) this.emit();
   }
 
   destroy() {

package/src/element.ts

@@ -90,6 +90,7 @@ export function defineFluxMarkdown(tag = "flux-markdown"): void {
       return this.#components;
     }
     set components(value: DomComponents | undefined) {
+      if (value === this.#components) return; // no-op re-assign: don't remount
       this.#components = value;
       if (this.#connected) this.#remount();
     }
@@ -98,6 +99,7 @@ export function defineFluxMarkdown(tag = "flux-markdown"): void {
       return this.#sanitize;
     }
     set sanitize(value: ((html: string) => string) | undefined) {
+      if (value === this.#sanitize) return; // no-op re-assign: don't remount
       this.#sanitize = value;
       if (this.#connected) this.#remount();
     }
@@ -155,10 +157,16 @@ export function defineFluxMarkdown(tag = "flux-markdown"): void {
       }
     }
 
-    attributeChangedCallback(name: string, _old: string | null, _new: string | null): void {
+    attributeChangedCallback(name: string, oldValue: string | null, newValue: string | null): void {
       // attributeChangedCallback fires before connectedCallback for attributes
       // present at upgrade; ignore until connected so config reads happen once.
       if (!this.#connected) return;
+      // setAttribute fires this on EVERY set, including setting an attribute to
+      // its current value (common when a host framework re-applies the same
+      // attrs on re-render). A no-op value change must not tear down the client
+      // and reparse the whole document — only a genuine change proceeds.
+      // (Attribute removal yields null, distinct from an empty string.)
+      if (oldValue === newValue) return;
 
       if (name === "markdown" || name === "src") {
         // One-shot content source change — only for a self-owned client. A

package/src/hi.ts

@@ -55,7 +55,7 @@ const jsPats: Pat[] = [
   ["str", /"(?:\\.|[^"\\\n])*"/y],
   ["str", /'(?:\\.|[^'\\\n])*'/y],
   ["str", /`(?:\\.|[^`\\])*`/y],
-  ["rx", /\/(?:\\.|\[(?:\\.|[^\]\\])*\]|[^/\\\n])+\/[gimsuy]*/y],
+  ["rx", /\/(?![*/])(?:\\.|[^/\\\n])+\/[gimsuy]*/y],
   ["num", /\b(?:0x[\da-fA-F_]+|0b[01_]+|0o[0-7_]+|\d[\d_]*(?:\.\d[\d_]*)?(?:[eE][+-]?\d+)?)\b/y],
   ["ident", /[A-Za-z_$][\w$]*/y],
   ["pun", /[+\-*/=<>!&|^~?:;,.[\](){}]/y],
@@ -103,7 +103,7 @@ const goPats: Pat[] = [
 
 const bashPats: Pat[] = [
   ["com", /#[^\n]*/y],
-  ["str", /"(?:\\.|\$\([^)]*\)|[^"\\])*"/y],
+  ["str", /"(?:\\.|[^"\\])*"/y],
   ["str", /'[^']*'/y],
   ["var", /\$\{[^}]+\}|\$\w+|\$[*@#?!$0-9]/y],
   ["num", /\b\d+\b/y],
@@ -187,6 +187,9 @@ function escapeHtml(s: string): string {
 }
 
 export function highlight(code: string, lang: string): string {
+  // Defense-in-depth: never tokenize a pathologically huge block on the main
+  // thread — fall back to plain escaped text.
+  if (code.length > 50_000) return escapeHtml(code);
   const conf = LANGS[lang.toLowerCase()];
   if (!conf) return escapeHtml(code);
 

package/src/html-to-react.ts

@@ -10,7 +10,10 @@ const VOID = new Set([
 // Attribute name → React prop name, for the handful that differ. Anything not
 // listed passes through verbatim (React forwards data-*/aria-* and lowercase
 // attributes unchanged).
-const ATTR_MAP: Record<string, string> = {
+// Prototype-free map so an attribute named `constructor`/`hasOwnProperty`/etc.
+// returns undefined (and the `?? name` fallback fires) rather than resolving to
+// an inherited Object.prototype member.
+const ATTR_MAP: Record<string, string> = Object.assign(Object.create(null), {
   class: "className",
   for: "htmlFor",
   colspan: "colSpan",
@@ -26,7 +29,7 @@ const ATTR_MAP: Record<string, string> = {
   crossorigin: "crossOrigin",
   enterkeyhint: "enterKeyHint",
   inputmode: "inputMode",
-};
+});
 
 // URL-bearing attributes whose value must be scheme-checked. `htmlToReact` is
 // exported and may be handed untrusted HTML directly; React happily renders a
@@ -34,6 +37,19 @@ const ATTR_MAP: Record<string, string> = {
 // defense-in-depth — the core's own output is already sanitized.
 const URL_ATTRS = new Set(["href", "src", "xlink:href", "formaction", "action", "poster", "data"]);
 
+// React-meaningful prop names that must never be forwarded from (possibly
+// untrusted) HTML attributes: `dangerouslySetInnerHTML` as a prop crashes the
+// whole render tree (DoS), and ref/key/defaultValue/etc. are injectable.
+const PROP_DENY = new Set([
+  "dangerouslysetinnerhtml", "ref", "key", "defaultvalue", "defaultchecked",
+  "suppresshydrationwarning", "suppresscontenteditablewarning",
+]);
+
+// Only forward attribute names that are a plain HTML attribute identifier
+// (so camelCase / `__proto__` / `constructor` never reach React props). The
+// explicit ATTR_MAP renames and `xlink:href` are allowed past this gate.
+const SAFE_ATTR_NAME = /^[a-z][a-z0-9-]*$/i;
+
 /** Replace a dangerous-scheme URL with "#". Mirrors the Rust `is_dangerous_scheme`:
  *  strip control chars (C0, DEL, C1 — matching Rust char::is_control),
  *  lowercase, then match. The strip affects only the probe, never output. */
@@ -42,8 +58,10 @@ function safeUrl(value: string): string {
   // reaches the DOM, so peel layers to a fixpoint before the scheme check —
   // catches `javascript&#58;` and double-encoded `javascript&amp;#58;`. Only the
   // probe is decoded; the returned value is untouched (safe URLs stay verbatim).
+  // Cap at 8 iterations: far beyond any legit URL (browsers entity-decode an
+  // href once), and bounds the loop so a hostile value can't make it quadratic.
   let decoded = value;
-  for (let prev = ""; decoded !== prev; ) {
+  for (let i = 0, prev = ""; i < 8 && decoded !== prev; i++) {
     prev = decoded;
     decoded = decodeEntities(decoded);
   }
@@ -265,6 +283,9 @@ function attrsToProps(tag: string, attrs: Record<string, string | true>, key: st
     // React drops most lowercase `on*` attrs — this also covers casings and
     // future React behavior.
     if (lower.startsWith("on")) continue;
+    // Reject React-meaningful names that would crash the render tree or inject
+    // internals (dangerouslySetInnerHTML, ref, key, defaultValue, …).
+    if (PROP_DENY.has(lower)) continue;
     if (lower === "style" && typeof value === "string") {
       props.style = safeStyle(parseStyle(value));
       continue;
@@ -280,6 +301,10 @@ function attrsToProps(tag: string, attrs: Record<string, string | true>, key: st
       props.defaultChecked = value === true ? true : value;
       continue;
     }
+    // Restrict forwarded ORIGINAL names to a plain HTML attribute identifier
+    // (plus the ATTR_MAP renames and xlink:href handled above) so weird casings
+    // / `__proto__` / `constructor` can never become a React prop.
+    if (!(lower in ATTR_MAP) && !SAFE_ATTR_NAME.test(name)) continue;
     props[ATTR_MAP[lower] ?? name] = value;
   }
   return props;

package/src/react.tsx

@@ -100,6 +100,10 @@ interface FluxMarkdownProps {
    * `unsafeHtml` on. flux-md stays zero-dep — you bring the sanitizer. The
    * built-in code/math renderers operate on already-escaped content and are not
    * run through it. When omitted, rendering is byte-identical and zero-cost.
+   *
+   * **Memoize / hoist this** (same trap as `components`): a fresh closure each
+   * render busts the per-block memo, so every block re-sanitizes and re-parses
+   * on every patch instead of only the streaming tail.
    */
   sanitize?: (html: string) => string;
   /** Appended to the root's `className` (the `flux-md` class is always present). */
@@ -362,14 +366,40 @@ export function blockKindProps(block: Block, components?: Components): BlockComp
   return props;
 }
 
-const REACT_ATTR_NAME: Record<string, string> = { class: "className", for: "htmlFor" };
+// Prototype-free so a key like `constructor`/`hasOwnProperty` returns undefined
+// (and the `?? k` fallback fires) instead of an inherited Object.prototype member.
+const REACT_ATTR_NAME: Record<string, string> = Object.assign(Object.create(null), {
+  class: "className",
+  for: "htmlFor",
+});
+
+// React-meaningful prop names that must never survive into a user override's
+// attrs object (dangerouslySetInnerHTML crashes the render tree; ref/key/etc.
+// inject internals). Mirrors html-to-react's PROP_DENY.
+const ATTR_DENY = new Set([
+  "dangerouslysetinnerhtml", "ref", "key", "defaultvalue", "defaultchecked",
+  "suppresshydrationwarning", "suppresscontenteditablewarning",
+]);
+
+// Forward only plain HTML attribute identifiers (the REACT_ATTR_NAME renames
+// pass too), so weird casings / `__proto__` / `constructor` never reach a prop.
+const SAFE_ATTR_NAME = /^[a-z][a-z0-9-]*$/i;
 
 /** Convert sanitized HTML attribute pairs into a React-spreadable object,
  *  renaming the two names React requires (`class`→`className`, `for`→`htmlFor`).
- *  Other names (including `data-*` / `aria-*`) pass through unchanged. */
+ *  Other names (including `data-*` / `aria-*`) pass through unchanged. Drops
+ *  inline event handlers and React-meaningful/unsafe names as defense-in-depth
+ *  (the Rust `sanitize_attrs` is the primary gate; this keeps the React layer
+ *  safe on its own when attrs are handed to user override components). */
 function reactAttrs(pairs: [string, string][]): Record<string, string> {
   const out: Record<string, string> = {};
-  for (const [k, v] of pairs) out[REACT_ATTR_NAME[k] ?? k] = v;
+  for (const [k, v] of pairs) {
+    const lower = k.toLowerCase();
+    if (lower.startsWith("on")) continue;
+    if (ATTR_DENY.has(lower)) continue;
+    if (!(lower in REACT_ATTR_NAME) && !SAFE_ATTR_NAME.test(k)) continue;
+    out[REACT_ATTR_NAME[lower] ?? k] = v;
+  }
   return out;
 }
 

package/src/server.tsx

@@ -58,11 +58,11 @@ export function initFlux(opts?: { wasm?: BufferSource | WebAssembly.Module }): P
     initPromise = (async () => {
       const wasmUrl = new URL("./wasm/flux_md_core_bg.wasm", import.meta.url);
       if (wasmUrl.protocol === "file:") {
-        // Node: read the bytes (Node's fetch can't load file://). A non-literal
-        // specifier keeps `node:fs` out of web bundles and off tsc's module graph
-        // (no @types/node needed to compile this source).
-        const nodeFs = "node:fs/promises";
-        const { readFile } = await import(nodeFs);
+        // Node: read the bytes (Node's fetch can't load file://). The literal
+        // `node:` specifier is externalized by bundlers, so node:fs never reaches
+        // a web bundle (this branch is also file:-only, never true in browsers).
+        // @ts-ignore — no @types/node in this package; node:fs/promises is a builtin.
+        const { readFile } = await import("node:fs/promises");
         initFluxSync(await readFile(wasmUrl));
       } else {
         await initWasmAsync({ module_or_path: wasmUrl });