un-ts · JounQin · Dec 14, 2023 · Dec 13, 2023 · Dec 14, 2023 · Dec 14, 2023
diff --git a/.changeset/rich-plants-call.md b/.changeset/rich-plants-call.md
@@ -0,0 +1,5 @@
+---
+"domiso": minor
+---
+
+feat: better compatibility with `dompurify`, prevent many more XSS cases
diff --git a/.codesandbox/ci.json b/.codesandbox/ci.json
@@ -1,4 +1,6 @@
 {
   "node": "18",
+  "installCommand": "codesandbox:install",
+  "buildCommand": "codesandbox:build",
   "sandboxes": []
 }
diff --git a/.eslintignore b/.eslintignore
@@ -2,6 +2,7 @@ coverage
 dist
 lib
 CHANGELOG.md
+/DOMPurify
 /auto-imports.d.ts
 /pnpm-lock.yaml
 !/.github

diff --git a/.eslintrc b/.eslintrc
@@ -2,6 +2,7 @@
   "root": true,
   "extends": "@1stg",
   "rules": {
+    "unicorn/prefer-set-has": "off",
     "unicorn/template-indent": "off"
   },
   "overrides": [

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -21,6 +21,8 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4
+        with:
+          submodules: true
 
       - name: Setup pnpm
         uses: pnpm/action-setup@v2

diff --git a/.github/workflows/size-limit.yml b/.github/workflows/size-limit.yml
@@ -12,6 +12,8 @@ jobs:
       CI_JOB_NUMBER: 1
     steps:
       - uses: actions/checkout@v4
+        with:
+          submodules: true
 
       - name: Setup pnpm
         uses: pnpm/action-setup@v2

diff --git a/.gitmodules b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "DOMPurify"]
+	path = DOMPurify
+	url = https://github.com/cure53/DOMPurify.git
diff --git a/.npmrc b/.npmrc
@@ -1,4 +1,3 @@
-auto-install-peers=true
 enable-pre-post-scripts=true
 public-hoist-pattern[]=@1stg/*
 public-hoist-pattern[]=@commitlint/*

diff --git a/.prettierignore b/.prettierignore
@@ -3,4 +3,6 @@
 coverage
 dist
 lib
+/DOMPurify
+/auto-imports.d.ts
 /pnpm-lock.yaml
diff --git a/.stylelintignore b/.stylelintignore
@@ -2,8 +2,11 @@ coverage
 dist
 lib
 LICENSE
+fixtures
+/DOMPurify
 *.json
 *.log
+*.mts
 *.patch
 *.snap
 *.svg

diff --git a/DOMPurify b/DOMPurify
diff --git a/dompurify.fixtures.d.mts b/dompurify.fixtures.d.mts
@@ -0,0 +1,11 @@
+declare module 'DOMPurify/test/fixtures/expect.mjs' {
+  export interface Fixture {
+    title?: string
+    payload: string
+    expected: string[] | string
+  }
+
+  const fixtures: Fixture[]
+
+  export default fixtures
+}
diff --git a/package.json b/package.json
@@ -7,7 +7,7 @@
   "author": "JounQin (https://www.1stG.me) <[email protected]>",
   "funding": "https://opencollective.com/unts",
   "license": "MIT",
-  "packageManager": "[email protected].0",
+  "packageManager": "[email protected].1",
   "engines": {
     "node": "^12.20.0 || ^14.18.0 || >=16.0.0"
   },
@@ -34,14 +34,17 @@
     "build": "pnpm test && run-p build:*",
     "build:r": "r -f cjs",
     "build:tsc": "tsc -p src",
+    "codesandbox:build": "yarn test -u && yarn run-p build:*",
+    "codesandbox:install": "git submodule update --init && yarn",
     "dev": "vitest",
     "docs:build": "w -e docs -p --publicPath /",
     "docs:dev": "w -e docs",
+    "limit": "pnpm build && size-limit",
     "lint": "run-p lint:*",
     "lint:es": "eslint . --cache -f friendly --max-warnings 10",
     "lint:style": "stylelint . --cache",
     "lint:tsc": "tsc --noEmit",
-    "prepare": "simple-git-hooks",
+    "prepare": "simple-git-hooks || exit 0",
     "release": "pnpm build && changeset publish",
     "serve": "sirv dist -s",
     "test": "vitest run --coverage",
@@ -63,7 +66,7 @@
     "@types/react-dom": "^18.2.17",
     "@types/web": "^0.0.127",
     "@vitest/coverage-istanbul": "^1.0.4",
-    "domiso": "link:",
+    "domiso": "link:.",
     "github-markdown-css": "^5.5.0",
     "jsdom": "^23.0.1",
     "react": "^18.2.0",
@@ -89,12 +92,15 @@
   "pnpm": {
     "overrides": {
       "sh-syntax": "^0.4.1"
+    },
+    "patchedDependencies": {
+      "[email protected]": "patches/[email protected]"
     }
   },
   "size-limit": [
     {
       "path": "lib/index.js",
-      "limit": "410B"
+      "limit": "1KB"
     }
   ],
   "typeCoverage": {

diff --git a/patches/[email protected] b/patches/[email protected]
@@ -0,0 +1,29 @@
+diff --git a/lib/jsdom/living/helpers/stylesheets.js b/lib/jsdom/living/helpers/stylesheets.js
+index 9b44b6dba9a74495f880e6a6fe53ffbc9bf8a5d6..cb536fc5b11ca1eb0c5f98e9292ce46f63c03290 100644
+--- a/lib/jsdom/living/helpers/stylesheets.js
++++ b/lib/jsdom/living/helpers/stylesheets.js
+@@ -43,6 +43,11 @@ exports.createStylesheet = (sheetText, elementImpl, baseURL) => {
+     return;
+   }
+
++  if (!elementImpl._ownerDocument._defaultView) {
++    elementImpl.sheet = sheet;
++    return;
++  }
++
+   scanForImportRules(elementImpl, sheet.cssRules, baseURL);
+
+   addStylesheet(sheet, elementImpl);
+diff --git a/lib/jsdom/living/nodes/HTMLStyleElement-impl.js b/lib/jsdom/living/nodes/HTMLStyleElement-impl.js
+index 7dcc6fbd453ec5edda80f07c0e79a2fe6e6c9906..2116266218ca6420457518595cdd4f3f73eea966 100644
+--- a/lib/jsdom/living/nodes/HTMLStyleElement-impl.js
++++ b/lib/jsdom/living/nodes/HTMLStyleElement-impl.js
+@@ -52,7 +52,7 @@ class HTMLStyleElementImpl extends HTMLElementImpl {
+     }
+
+     // Browsing-context connected, per https://github.com/whatwg/html/issues/4547
+-    if (!this.isConnected || !this._ownerDocument._defaultView) {
++    if (!this.isConnected) {
+       return;
+     }
+
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,8 +2,11 @@ coverage @@
     dist
     lib
     LICENSE
+    fixtures
+    /DOMPurify
     *.json
     *.log
+    *.mts
     *.patch
     *.snap
     *.svg
@@ Expand Down @@