[Pkg-javascript-devel] Bug#1103615: Bug#1103615: node-dompurify: please update to latest version

Jérémy Lal kapouer at melix.org
Mon Apr 21 10:19:26 BST 2025 

Le lun. 21 avr. 2025 à 10:12, Paul Gevers <elbrus at debian.org> a écrit :

> Hi Jérémy,
>
> Thanks for the reply.
>
> On 20-04-2025 13:21, Jérémy Lal wrote:
> > Good question ! The answer is that it's not needed:
> > nodejs 20.19.0 can "require(esm)" [1] so a CJS module is no longer
> > locked out using ESM modules.
> > The other way around (import a CJS module form an ES module) has always
> > been possible.
>
>
> As I understand it, liferea is already ESM and my problem is that the
> code apparently assumes that node-dompurify (and handlebars) is ESM too.
> So far, I have never needed to fix javascript in a more than trivial
> manner, so I don't know where to start here. My fundamental question is
> what do I have to do to build liferea with the Debain shipped
> node-dompurity (and handlebars) instead of the vendored version? liferea
> uses the file during the build and embeds it in the executable, but as
> can be seen from my discussion in the upstream bug tracker [1], using
> the current versions in Debian doesn't work and upstream suggested that
> node-dompurify needs the change. I understand you say it should be
> trivial to fix on the liferea side? (The include happens here [2], for
> handlebars it's here [3]. I tried commenting them out and adding a
> <script> here [4] but that seems to be too simple.)
>

For handlebars, it should work all right as it is,
for dompurify, first fix the path you copy it from, use:
/usr/share/nodejs/dompurify/dist/purify.es.mjs

Then to fix the version mismatch, you can use this patch:

diff --git a/js/htmlview.js b/js/htmlview.js
index d6f4a9f..d1d4f69 100644
--- a/js/htmlview.js
+++ b/js/htmlview.js
@@ -22,6 +22,8 @@
 import { render, template } from './helpers/render.js';
 import DOMPurify from './vendor/purify.min.js';

+const purify = DOMPurify(window);
+
 window.debugflags = 0;

 function prepare(baseURL, title) {
@@ -227,7 +229,7 @@ function contentCleanup() {

        // Run DOMPurify
        let content = document.getElementById('content').innerHTML;
-       document.getElementById('content').innerHTML =
DOMPurify.sanitize(content);
+       document.getElementById('content').innerHTML =
purify.sanitize(content);

        // Fix inline SVG sizes
        const svgMinWidth = 50;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20250421/e15717c9/attachment.htm>

More information about the Pkg-javascript-devel mailing list