Open bedwards-cms opened 6 months ago
We don't use this module browser-side. I'm aware of some valid use cases, but it mostly makes much more sense to sanitize things in a place you can trust (e.g. on a server). So this is an area for community contributions.
Possibly it's time for a new major version that introduces a backwards compatibility break by making postcss support optional via a second, optional module. That seems to be source of just about all concerns about this. There is no mention of the fs
module in sanitize-html itself.
Hello @boutell
I am also getting all the warnings in my console. I have update the version from '2.7.3' to '2.12.1' but still I am getting all warnings.
Any solution ?
Thankyou
This might be a dumb question but an important to ask nonetheless, if I am seeing these warnings (on a Vue/Nuxt 3 application), is there any concern about the functionality of the sanitizing working properly? As a followup and per @boutell's comment, would it be safer and better practice to move the sanitizing to an SSR context?
Really you have two options: you can sanitize the data once server side and save it in sanitized form, or you can sanitize it every time you output it on the client side. Here we prefer the former, because it is efficient and it's harder to do something unsafe, and so we don't use this module on the client side. Client side support is contributed by the community.
These warnings relate to Node.js features utilized by sanitize-html or its dependencies. Vite is telling you that it provided a simulation, but not a complete one, and there's a chance the module uses something it doesn't provide. Possibly that could be fixed by community contributors through eliminating calls to the mentioned features.
For what it's worth though, sanitize-html
never does import path
. It's not mentioned anywhere in the source. So it's probably a dependency of a sub-dependency, and that's a longer road tracking down the module that actually has the issue and contributing there or finding an alternative to that functionality for sanitize-html to use.
Awesome, thank you for the insight 👍
Related, but sanitize-html has problems running on cloudflare workers, which is also a server environment, but does not have Node APIs.
It sounds like this would need to be resolved upstream in postcss
, so I would recommend checking into whether I'm right about that, and if so contributing to the solution there.
Linking to https://github.com/vitejs/vite/issues/7821
The problem to solve
Lots of console warnings are being logged since adding sanitize-html to a React application running with vite.
This is details about the warning we are seeing. https://vitejs.dev/guide/troubleshooting.html#module-externalized-for-browser-compatibility
Here is an example what we see in console:![image](https://github.com/apostrophecms/sanitize-html/assets/135224593/697eaf85-8a95-4f3e-a80b-d73bf46c1339)
Proposed solution
See if there is a reasonable resolution to eliminate this issue.
Alternatives
In this case, one alternative is to just switch to using domPurify
Additional context