Skip to content

use default import for dompurify instead of namespace import#908

Open
KTibow wants to merge 1 commit into
sandwichfarm:nextfrom
KTibow:fix/dompurify-sanitize-import
Open

use default import for dompurify instead of namespace import#908
KTibow wants to merge 1 commit into
sandwichfarm:nextfrom
KTibow:fix/dompurify-sanitize-import

Conversation

@KTibow

@KTibow KTibow commented May 10, 2026

Copy link
Copy Markdown

dompurify has no named exports - only a default export (the sanitize function itself). But notes.ts and PageHeader.svelte both used import * as DOMPurify and called DOMPurify.sanitize(), which Rollup can not resolve statically. It warns "sanitize is not exported by purify.es.mjs" and silently replaces the reference with undefined, crashing any page with a non-empty subtitle prop.

Fix both files to use import DOMPurify from "dompurify" and call DOMPurify(text) directly. Drop the as any casts and the defensive .sanitize ?? .default?.sanitize fallback in notes.ts.

Originated in two separate commits, same author ("sandwich"):

  1. notes.ts - commit 42c2a23 (Dec 9, 2024, "single relay pages."): the original introduction of the file, used import * as DOMPurify from day one.
  2. PageHeader.svelte - commit fff65b5 (May 3, 2026, "fix: XSS via unsanitized NIP-11 fields rendered with {@html}" from PR fix: XSS via unsanitized NIP-11 fields rendered with {@html} #899): copied the same broken import * as DOMPurify + .sanitize pattern from notes.ts when adding DOMPurify sanitization to the subtitle sink.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant