react-modern-audio-player 2.3.1 → 2.3.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +21 -0
- package/dist/index.es.js +500 -470
- package/dist/types/components/Grid/Grid.d.ts +1 -0
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -39,6 +39,10 @@
|
|
|
39
39
|
|
|
40
40
|
<https://codesandbox.io/p/sandbox/basic-nfrpfq>
|
|
41
41
|
|
|
42
|
+
or
|
|
43
|
+
|
|
44
|
+
<https://stackblitz.com/edit/stackblitz-webcontainer-api-starter-k4uxhzjx?file=src%2FApp.tsx>
|
|
45
|
+
|
|
42
46
|
# **Flexible and Customizable UI**
|
|
43
47
|
|
|
44
48
|
## Waveform progress with `wavesurfer.js`
|
|
@@ -160,6 +164,7 @@ export default function PlayerPage() {
|
|
|
160
164
|
| **Accessibility** | [Keyboard support](#keyboard-support) |
|
|
161
165
|
| **Gotchas** | [Gotchas](#gotchas) |
|
|
162
166
|
| **Example** | [Example](#example) |
|
|
167
|
+
| **Security** | [Security & Trust Model](#security--trust-model) |
|
|
163
168
|
|
|
164
169
|
# Props
|
|
165
170
|
|
|
@@ -795,3 +800,19 @@ function App() {
|
|
|
795
800
|
);
|
|
796
801
|
}
|
|
797
802
|
```
|
|
803
|
+
|
|
804
|
+
# **Security & Trust Model**
|
|
805
|
+
|
|
806
|
+
A few props on this library are typed as `string | ReactNode` — most notably:
|
|
807
|
+
|
|
808
|
+
- [`AudioData.description`](#playlist)
|
|
809
|
+
- [`AudioData.customTrackInfo`](#mental-model--activeui-vs-compound-children)
|
|
810
|
+
|
|
811
|
+
React's standard JSX rendering applies. **A plain string passed to one of these props is auto-escaped** by React — so `description: "<img src=x onerror=alert(1)>"` becomes harmless text. If, however, you construct the `ReactNode` yourself using `dangerouslySetInnerHTML`, React runs whatever HTML you put there. This is React's documented contract; see [_Dangerously setting the inner HTML_](https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html) on `react.dev`.
|
|
812
|
+
|
|
813
|
+
When the content originates from **user-generated input**, the consumer is responsible for sanitizing it _before_ it is handed to this library:
|
|
814
|
+
|
|
815
|
+
- Prefer passing a **plain string** — React's escape is sufficient.
|
|
816
|
+
- If you must inject HTML (e.g. a Markdown preview), sanitize first with [DOMPurify](https://github.com/cure53/DOMPurify) or a vetted Markdown parser, then wrap the result in JSX.
|
|
817
|
+
|
|
818
|
+
This library does **not** bundle a sanitizer because the trust boundary, allowed-tag policy, and rendering pipeline all depend on the consumer's data source — only the integrating application has that context.
|