Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Switch to custom Domino fork #461

Merged
merged 1 commit into from
Apr 8, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:

jobs:
Expand Down
6 changes: 3 additions & 3 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ Turndown input is

When a string input is passed, the DOM parser is picked as follows.
* For web browser usage, the corresponding native web parser is used, which is typically `DOMImplementation`.
* For standalone usage, [domino](https://github.com/fgnass/domino) parser is used.
* For standalone usage, custom [domino](https://github.com/mixmark-io/domino) parser is used.

Please note that a malicious string input can cause undesired effects within the DOM parser
even before Turndown code starts processing the document itself.
Expand All @@ -27,8 +27,8 @@ better suits your security needs.

In particular, Turndown version 6 and below used [jsdom](https://github.com/jsdom/jsdom) as the
standalone DOM parser. As `jsdom` is a fully featured DOM parser with script execution support,
it imposes an inherent security risk. We recommend upgrading to version 7, which uses
[domino](https://github.com/fgnass/domino) that doesn't even support executing scripts nor
it imposes an inherent security risk. We recommend upgrading to version 7, which uses custom
[domino](https://github.com/mixmark-io/domino) that doesn't even support executing scripts nor
downloading external resources.

## Reporting a Vulnerability
Expand Down
2 changes: 1 addition & 1 deletion config/rollup.config.js
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ export default function (config) {
return {
input: 'src/turndown.js',
output: config.output,
external: ['domino'],
external: ['@mixmark-io/domino'],
plugins: [
commonjs(),
replace({ 'process.browser': JSON.stringify(!!config.browser), preventAssignment: true }),
Expand Down
12 changes: 6 additions & 6 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,13 @@
"module": "lib/turndown.es.js",
"jsnext:main": "lib/turndown.es.js",
"browser": {
"domino": false,
"@mixmark-io/domino": false,
"./lib/turndown.cjs.js": "./lib/turndown.browser.cjs.js",
"./lib/turndown.es.js": "./lib/turndown.browser.es.js",
"./lib/turndown.umd.js": "./lib/turndown.browser.umd.js"
},
"dependencies": {
"domino": "^2.1.6"
"@mixmark-io/domino": "^2.2.0"
},
"devDependencies": {
"@rollup/plugin-commonjs": "^19.0.0",
Expand Down
2 changes: 1 addition & 1 deletion src/html-parser.js
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ function createHTMLParser () {
}
}
} else {
var domino = require('domino')
var domino = require('@mixmark-io/domino')
Parser.prototype.parseFromString = function (string) {
return domino.createDocument(string)
}
Expand Down