npm - markdown-to-jsx - Versions diffs - 9.3.4 → 9.4.0 - Mend

markdown-to-jsx 9.3.4 → 9.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (35) hide show

package/dist/html.d.cts CHANGED Viewed

@@ -175,6 +175,7 @@ type RequireAtLeastOne<
 		attrs?: Record<string, any>;
 		children?: ASTNode[] | undefined;
 		noInnerParse?: Boolean;
+		rawAttrs?: string;
 		tag: string;
 		text?: string | undefined;
 	}
@@ -226,6 +227,31 @@ type RequireAtLeastOne<
 		*/
 		enforceAtxHeadings: boolean;
 		/**
+		* **⚠️ SECURITY WARNING: STRONGLY DISCOURAGED FOR USER INPUTS**
+		*
+		* When enabled, attempts to eval expressions in JSX props that cannot be serialized
+		* as JSON (functions, variables, complex expressions). This uses `eval()` which can
+		* execute arbitrary code.
+		*
+		* **ONLY use this option when:**
+		* - The markdown source is completely trusted (e.g., your own documentation)
+		* - You control all JSX components and their props
+		* - The content is NOT user-generated or user-editable
+		*
+		* **DO NOT use this option when:**
+		* - Processing user-submitted markdown
+		* - Rendering untrusted content
+		* - Building public-facing applications with user content
+		*
+		* Example unsafe input: `<Component onClick={() => fetch('/admin/delete-all')} />`
+		*
+		* When disabled (default), unserializable expressions remain as strings that can be
+		* safely inspected or handled on a case-by-case basis via custom renderRule logic.
+		*
+		* @default false
+		*/
+		evalUnserializableExpressions?: boolean;
+		/**
 		* Forces the compiler to always output content with a block-level wrapper
 		* (`<p>` or any block-level syntax your markdown already contains.)
 		*/

package/dist/html.d.ts CHANGED Viewed

@@ -175,6 +175,7 @@ type RequireAtLeastOne<
 		attrs?: Record<string, any>;
 		children?: ASTNode[] | undefined;
 		noInnerParse?: Boolean;
+		rawAttrs?: string;
 		tag: string;
 		text?: string | undefined;
 	}
@@ -226,6 +227,31 @@ type RequireAtLeastOne<
 		*/
 		enforceAtxHeadings: boolean;
 		/**
+		* **⚠️ SECURITY WARNING: STRONGLY DISCOURAGED FOR USER INPUTS**
+		*
+		* When enabled, attempts to eval expressions in JSX props that cannot be serialized
+		* as JSON (functions, variables, complex expressions). This uses `eval()` which can
+		* execute arbitrary code.
+		*
+		* **ONLY use this option when:**
+		* - The markdown source is completely trusted (e.g., your own documentation)
+		* - You control all JSX components and their props
+		* - The content is NOT user-generated or user-editable
+		*
+		* **DO NOT use this option when:**
+		* - Processing user-submitted markdown
+		* - Rendering untrusted content
+		* - Building public-facing applications with user content
+		*
+		* Example unsafe input: `<Component onClick={() => fetch('/admin/delete-all')} />`
+		*
+		* When disabled (default), unserializable expressions remain as strings that can be
+		* safely inspected or handled on a case-by-case basis via custom renderRule logic.
+		*
+		* @default false
+		*/
+		evalUnserializableExpressions?: boolean;
+		/**
 		* Forces the compiler to always output content with a block-level wrapper
 		* (`<p>` or any block-level syntax your markdown already contains.)
 		*/