[Pkg-javascript-devel] Bug#1103615: Bug#1103615: Bug#1103615: node-dompurify: please update to latest version

Tue Apr 22 06:31:43 BST 2025

On 4/21/25 11:19, Jérémy Lal wrote:
> 
> 
> Le lun. 21 avr. 2025 à 10:12, Paul Gevers <elbrus at debian.org 
> <mailto:elbrus at debian.org>> a écrit :
> 
>     Hi Jérémy,
> 
>     Thanks for the reply.
> 
>     On 20-04-2025 13:21, Jérémy Lal wrote:
>      > Good question ! The answer is that it's not needed:
>      > nodejs 20.19.0 can "require(esm)" [1] so a CJS module is no longer
>      > locked out using ESM modules.
>      > The other way around (import a CJS module form an ES module) has
>     always
>      > been possible.
> 
> 
>     As I understand it, liferea is already ESM and my problem is that the
>     code apparently assumes that node-dompurify (and handlebars) is ESM
>     too.
>     So far, I have never needed to fix javascript in a more than trivial
>     manner, so I don't know where to start here. My fundamental question is
>     what do I have to do to build liferea with the Debain shipped
>     node-dompurity (and handlebars) instead of the vendored version?
>     liferea
>     uses the file during the build and embeds it in the executable, but as
>     can be seen from my discussion in the upstream bug tracker [1], using
>     the current versions in Debian doesn't work and upstream suggested that
>     node-dompurify needs the change. I understand you say it should be
>     trivial to fix on the liferea side? (The include happens here [2], for
>     handlebars it's here [3]. I tried commenting them out and adding a
>     <script> here [4] but that seems to be too simple.)
> 
> 
> For handlebars, it should work all right as it is,
> for dompurify, first fix the path you copy it from, use:
> /usr/share/nodejs/dompurify/dist/purify.es.mjs
> 
> Then to fix the version mismatch, you can use this patch:
> 
> diff --git a/js/htmlview.js b/js/htmlview.js
> index d6f4a9f..d1d4f69 100644
> --- a/js/htmlview.js
> +++ b/js/htmlview.js
> @@ -22,6 +22,8 @@
>   import { render, template } from './helpers/render.js';
>   import DOMPurify from './vendor/purify.min.js';
> 
> +const purify = DOMPurify(window);
> +
>   window.debugflags = 0;
> 
>   function prepare(baseURL, title) {
> @@ -227,7 +229,7 @@ function contentCleanup() {
> 
>          // Run DOMPurify
>          let content = document.getElementById('content').innerHTML;
> -       document.getElementById('content').innerHTML = 
> DOMPurify.sanitize(content);
> +       document.getElementById('content').innerHTML = 
> purify.sanitize(content);
> 
>          // Fix inline SVG sizes
>          const svgMinWidth = 50;
Hi,

looking at 
https://release.debian.org/britney/pseudo-excuses-experimental.html#node-dompurify 
it looks like the update of node-dompurify is possible without breaking 
things. I looked at the debdiff between the last and the current 
version, no big changes.