From ed330a93d03d61a34a3509ab4ff88f956895bae9 Mon Sep 17 00:00:00 2001 From: Pavel Horal Date: Sat, 6 Apr 2024 23:40:54 +0200 Subject: [PATCH] Switch to custom Domino fork. --- SECURITY.md | 6 +++--- config/rollup.config.js | 2 +- package-lock.json | 12 ++++++------ package.json | 4 ++-- src/html-parser.js | 2 +- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index a5a04d21..345a41f4 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -15,7 +15,7 @@ Turndown input is When a string input is passed, the DOM parser is picked as follows. * For web browser usage, the corresponding native web parser is used, which is typically `DOMImplementation`. -* For standalone usage, [domino](https://github.com/fgnass/domino) parser is used. +* For standalone usage, custom [domino](https://github.com/mixmark-io/domino) parser is used. Please note that a malicious string input can cause undesired effects within the DOM parser even before Turndown code starts processing the document itself. @@ -27,8 +27,8 @@ better suits your security needs. In particular, Turndown version 6 and below used [jsdom](https://github.com/jsdom/jsdom) as the standalone DOM parser. As `jsdom` is a fully featured DOM parser with script execution support, -it imposes an inherent security risk. We recommend upgrading to version 7, which uses -[domino](https://github.com/fgnass/domino) that doesn't even support executing scripts nor +it imposes an inherent security risk. We recommend upgrading to version 7, which uses custom +[domino](https://github.com/mixmark-io/domino) that doesn't even support executing scripts nor downloading external resources. ## Reporting a Vulnerability diff --git a/config/rollup.config.js b/config/rollup.config.js index f411b80a..87fc0249 100644 --- a/config/rollup.config.js +++ b/config/rollup.config.js @@ -6,7 +6,7 @@ export default function (config) { return { input: 'src/turndown.js', output: config.output, - external: ['domino'], + external: ['@mixmark-io/domino'], plugins: [ commonjs(), replace({ 'process.browser': JSON.stringify(!!config.browser), preventAssignment: true }), diff --git a/package-lock.json b/package-lock.json index c73f7384..bfedeadc 100644 --- a/package-lock.json +++ b/package-lock.json @@ -9,7 +9,7 @@ "version": "7.1.3", "license": "MIT", "dependencies": { - "domino": "^2.1.6" + "@mixmark-io/domino": "^2.2.0" }, "devDependencies": { "@rollup/plugin-commonjs": "^19.0.0", @@ -188,6 +188,11 @@ "integrity": "sha512-ZnQMnLV4e7hDlUvw8H+U8ASL02SS2Gn6+9Ac3wGGLIe7+je2AeAOxPY+izIPJDfFDb7eDjev0Us8MO1iFRN8hA==", "dev": true }, + "node_modules/@mixmark-io/domino": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/@mixmark-io/domino/-/domino-2.2.0.tgz", + "integrity": "sha512-Y28PR25bHXUg88kCV7nivXrP2Nj2RueZ3/l/jdx6J9f8J4nsEGcgX0Qe6lt7Pa+J79+kPiJU3LguR6O/6zrLOw==" + }, "node_modules/@rollup/plugin-commonjs": { "version": "19.0.0", "resolved": "https://registry.npmjs.org/@rollup/plugin-commonjs/-/plugin-commonjs-19.0.0.tgz", @@ -1435,11 +1440,6 @@ "node": ">=8" } }, - "node_modules/domino": { - "version": "2.1.6", - "resolved": "https://registry.npmjs.org/domino/-/domino-2.1.6.tgz", - "integrity": "sha512-3VdM/SXBZX2omc9JF9nOPCtDaYQ67BGp5CoLpIQlO2KCAPETs8TcDHacF26jXadGbvUteZzRTeos2fhID5+ucQ==" - }, "node_modules/dotignore": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/dotignore/-/dotignore-0.1.2.tgz", diff --git a/package.json b/package.json index 5968a684..0ebfd8ce 100644 --- a/package.json +++ b/package.json @@ -7,13 +7,13 @@ "module": "lib/turndown.es.js", "jsnext:main": "lib/turndown.es.js", "browser": { - "domino": false, + "@mixmark-io/domino": false, "./lib/turndown.cjs.js": "./lib/turndown.browser.cjs.js", "./lib/turndown.es.js": "./lib/turndown.browser.es.js", "./lib/turndown.umd.js": "./lib/turndown.browser.umd.js" }, "dependencies": { - "domino": "^2.1.6" + "@mixmark-io/domino": "^2.2.0" }, "devDependencies": { "@rollup/plugin-commonjs": "^19.0.0", diff --git a/src/html-parser.js b/src/html-parser.js index de01586e..80a32e36 100644 --- a/src/html-parser.js +++ b/src/html-parser.js @@ -47,7 +47,7 @@ function createHTMLParser () { } } } else { - var domino = require('domino') + var domino = require('@mixmark-io/domino') Parser.prototype.parseFromString = function (string) { return domino.createDocument(string) }