npm - jspdf-md-renderer - Versions diffs - 4.0.0 → 4.1.0 - Mend

jspdf-md-renderer 4.0.0 → 4.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -27,6 +27,94 @@
 import jsPDF, { jsPDFOptions } from "jspdf";
 import { UserOptions } from "jspdf-autotable";
+//#region src/types/security.d.ts
+type ViolationMode = 'skip' | 'throw' | 'placeholder';
+type ViolationAction = 'skip' | 'placeholder';
+type SecurityViolationType = 'link' | 'image' | 'markdown' | 'render';
+type SecurityViolationCode = 'MARKDOWN_TOO_LARGE' | 'MAX_NESTED_DEPTH_EXCEEDED' | 'MAX_IMAGE_COUNT_EXCEEDED' | 'RENDER_TIMEOUT_EXCEEDED' | 'INVALID_URL' | 'LINK_PROTOCOL_BLOCKED' | 'IMAGE_PROTOCOL_BLOCKED' | 'IMAGE_DOMAIN_BLOCKED' | 'DATA_URL_BLOCKED' | 'SVG_BLOCKED' | 'LOCALHOST_BLOCKED' | 'PRIVATE_IP_BLOCKED' | 'LINK_LOCAL_IP_BLOCKED' | 'METADATA_IP_BLOCKED' | 'IMAGE_SIZE_EXCEEDED' | 'CUSTOM_VALIDATOR_BLOCKED';
+interface SecurityViolation {
+  /** Machine-readable violation code. */
+  code: SecurityViolationCode;
+  /** High-level category of the violating input. */
+  type: SecurityViolationType;
+  /** Human-readable explanation of the violation. */
+  message: string;
+  /** Raw value that triggered the violation (URL, length, etc.). */
+  value?: string;
+  /** Optional execution context to help debugging (e.g. 'markdown-link'). */
+  context?: string;
+  /** ISO timestamp when the violation was recorded. */
+  timestamp: string;
+}
+declare class SecurityViolationError extends Error {
+  /** Structured violation payload used to construct this error. */
+  readonly violation: SecurityViolation;
+  constructor(violation: SecurityViolation);
+}
+interface RenderSecurityOptions {
+  /** Enables all built-in security checks. Default: false (opt-in). */
+  enabled?: boolean;
+  /** Allowed URI protocols for markdown links. Example: ['https:', 'mailto:']. */
+  allowedLinkProtocols?: string[];
+  /** If true, link text is rendered but PDF link actions are disabled. */
+  disablePdfLinks?: boolean;
+  /** Whether remote image fetching is allowed (http/https). */
+  allowRemoteImages?: boolean;
+  /** Allowed protocols for image URLs. Example: ['https:', 'http:']. */
+  allowedImageProtocols?: string[];
+  /**
+   * Optional domain allowlist for remote image hosts.
+   * - `undefined` (default): all domains are allowed.
+   * - `[]` (empty array): no domains are allowed.
+   * - `['example.com']`: only `example.com` and its subdomains are allowed.
+   */
+  allowedImageDomains?: string[];
+  /** Whether inline data: image URLs are allowed. */
+  allowDataUrls?: boolean;
+  /** Whether SVG images are allowed. */
+  allowSvgImages?: boolean;
+  /** Blocks localhost image/link destinations when true. */
+  blockLocalhost?: boolean;
+  /**
+   * Blocks private IPv4 ranges (10/8, 172.16/12, 192.168/16) when true.
+   * NOTE: In browser environments, IP-based checks cannot be enforced due to
+   * lack of DNS resolution APIs. Use a trusted server-side proxy for strict enforcement.
+   */
+  blockPrivateIPs?: boolean;
+  /**
+   * Blocks link-local IPv4 ranges (169.254/16) when true.
+   * NOTE: In browser environments, IP-based checks cannot be enforced due to
+   * lack of DNS resolution APIs. Use a trusted server-side proxy for strict enforcement.
+   */
+  blockLinkLocalIPs?: boolean;
+  /**
+   * Blocks known cloud metadata endpoints when true.
+   * NOTE: In browser environments, IP-based checks cannot be enforced due to
+   * lack of DNS resolution APIs. Use a trusted server-side proxy for strict enforcement.
+   */
+  blockMetadataIPs?: boolean;
+  /** Maximum markdown input length in characters. */
+  maxMarkdownLength?: number;
+  /** Maximum number of markdown images allowed per render. */
+  maxImageCount?: number;
+  /** Maximum image payload size in bytes (fetched blob size or decoded data URL bytes). */
+  maxImageSizeBytes?: number;
+  /** Maximum supported markdown nesting depth. */
+  maxNestedDepth?: number;
+  /** Maximum total render time in milliseconds. */
+  renderTimeoutMs?: number;
+  /** Action taken when a violation occurs. */
+  violationMode?: ViolationMode;
+  /** Placeholder text used for blocked text-like content in placeholder mode. */
+  placeholderText?: string;
+  /** Placeholder text used for blocked images in placeholder mode. */
+  placeholderImageText?: string;
+  /** Optional custom URL validator. Return false to reject the URL. */
+  validateUrl?: (url: URL, type: 'link' | 'image') => boolean | Promise<boolean>;
+  /** Callback fired for every security violation, regardless of mode. */
+  onSecurityViolation?: (violation: SecurityViolation) => void;
+}
+//#endregion
 //#region src/types/renderOption.d.ts
 type RenderOption = {
   cursor: {
@@ -52,10 +140,13 @@ type RenderOption = {
     bold: FontItem;
     regular: FontItem;
     light: FontItem;
+    italic?: FontItem;
+    boldItalic?: FontItem;
     code?: FontItem;
   };
   heading?: {
-    /** Font size for h1-h6. Values are absolute (e.g. 22, 20, 18, 16, 14, 12). */h1?: number;
+    /** Whether headings should use bold font. Default: true */bold?: boolean; /** Font size for h1-h6. Values are absolute (e.g. 22, 20, 18, 16, 14, 12). */
+    h1?: number;
     h2?: number;
     h3?: number;
     h4?: number;
@@ -72,7 +163,7 @@ type RenderOption = {
   };
   list?: {
     /** Bullet character for unordered lists. Default: '\u2022 ' */bulletChar?: string; /** Extra indent per nesting level in doc units. Default: uses page.indent */
-    indentSize?: number; /** Vertical space between list items. Default: 0 */
+    indentSize?: number; /** Vertical space between list items. Used when spacing.betweenListItems is not provided. */
     itemSpacing?: number;
   };
   paragraph?: {
@@ -140,6 +231,7 @@ type RenderOption = {
   };
   pageBreakHandler?: (doc: jsPDF) => void;
   endCursorYHandler: (y: number) => void;
+  security?: RenderSecurityOptions;
 };
 type Cursor = {
   x: number;
@@ -332,4 +424,4 @@ declare enum MdTokenType {
 //#region src/utils/options-validation.d.ts
 declare const validateOptions: (options: RenderOption) => RenderOption;
 //#endregion
-export { MdTextParser, MdTextRender, MdTokenType, type ParsedElement, type RenderOption, type StyledLine, type StyledWordInfo, type TextStyle, renderInlineContent, renderPlainText, validateOptions };
+export { MdTextParser, MdTextRender, MdTokenType, type ParsedElement, type RenderOption, type RenderSecurityOptions, type SecurityViolation, type SecurityViolationCode, SecurityViolationError, type StyledLine, type StyledWordInfo, type TextStyle, type ViolationAction, type ViolationMode, renderInlineContent, renderPlainText, validateOptions };