Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@storyblok/richtext
Advanced tools
A custom resolver for the Storyblok Richtext field.
If you are first-time user of the Storyblok, read the Getting Started guide to get a project ready in less than 5 minutes.
npm install @storyblok/richtext
or yarn
:
yarn add @storyblok/richtext
or pnpm
:
pnpm add @storyblok/richtext
import { richTextResolver } from '@storyblok/richtext'
const { render } = richTextResolver()
const html = render(doc)
document.querySelector<HTMLDivElement>('#app')!.innerHTML = `
<div>
${html}
</div>
`
To overwrite an existing resolver, you can pass a property called resolvers available on the richTextResolver
options.
import { MarkTypes, richTextResolver } from '@storyblok/richtext'
const html = richTextResolver({
resolvers: {
[MarkTypes.LINK]: (node) => {
return `<button href="${node.attrs?.href}" target="${node.attrs?.target}">${node.children}</button>`
},
},
}).render(doc)
It is possible to ensure correct typing support in a framework-agnostic way by using Typescript Generics
string
VNode
React.ReactElement
This way the @storyblok/richtext
is ignorant of framework specific types, avoiding having to import them and having vue
react
etc as dependencies.
// Vanilla
const options: StoryblokRichTextOptions<string> = {
resolvers: {
[MarkTypes.LINK]: (node: Node<string>) => {
return `<button href="${node.attrs?.href}" target="${node.attrs?.target}">${node.children}</button>`
},
},
}
const html = richTextResolver<string>(options).render(doc)
// Vue
const options: StoryblokRichTextOptions<VNode> = {
renderFn: h,
}
const root = () => richTextResolver<VNode>(options).render(doc)
To optimize images in the richtext, you can use the optimizeImages
property on the richTextResolver
options. For the full list of available options, check the Image Optimization documentation.
import { richTextResolver } from '@storyblok/richtext'
const html = richTextResolver({
optimizeImages: {
class: 'my-peformant-image',
loading: 'lazy',
width: 800,
height: 600,
srcset: [400, 800, 1200, 1600],
sizes: ['(max-width: 400px) 100vw', '50vw'],
filters: {
format: 'webp',
blur: 120
quality: 10,
grayscale: true,
blur: 10,
brightness: 10,
},
},
}).render(doc)
[!WARNING]
This package does not provide proper HTML sanitization by default
The @storyblok/richtext
package primarly converts rich text content into HTML strings, which can then be rendered into the DOM of a web page. This means that any HTML output generated by the rich text resolver includes the raw content as it is defined in Storyblok, which may potentially include harmful or malicious scripts.
Injecting unsanitized HTML into your web application can expose it to cross-site scripting (XSS) attacks. XSS attacks can allow attackers to execute malicious scripts in the context of your website, potentially leading to data theft, session hijacking, and other security breaches.
As a developer using @storyblok/richtext
, you are responsible for sanitizing the HTML output from the rich text resolver before injecting it into the DOM. This precaution helps prevent XSS attacks and ensures a safer web environment for your users.
To assist you in sanitizing HTML content, we recommend using the following library:
sanitize-html: A simple HTML sanitizer with a flexible API that can adjust to a wide range of applications.
GitHub: sanitize-html
Here is an example of how you might sanitize HTML output using sanitize-html
before rendering it to the DOM:
import sanitizeHtml from 'sanitize-html';
import { richTextResolver } from '@storyblok/richtext';
const html = richTextResolver().render(yourRichTextContent);
const sanitizedHTML = sanitizeHtml(html, {
allowedTags: sanitizeHtml.defaults.allowedTags.concat(['img', 'figure', 'figcaption']),
allowedAttributes: {
...sanitizeHtml.defaults.allowedAttributes,
'img': ['src', 'alt', 'title']
}
});
document.getElementById('your-element-id').innerHTML = sanitizedHTML;
pnpm install
This command will install the dependencies for the workspace, including the dependencies for the playgrounds under /playground
and different framework wrappers /packages
To run the vanilla Typescript playground:
pnpm run playground
Vue playground:
pnpm run playground:vue
React playground:
pnpm run playground:react
Alternatively you can run the following command to run all the playgrounds:
pnpm run playground:all
To build the core package:
pnpm run build
To build the wrappers under /packages
:
pnpm run build:packages
To lint the core package:
pnpm run lint
To lint the wrappers under /packages
:
pnpm run lint:packages
Alternatively, you can run the following command to fix the linting issues:
pnpm run lint:fix
To run the tests for the core package:
pnpm run test
Please see our contributing guidelines and our code of conduct. This project use semantic-release for generate new versions by using commit messages and we use the Angular Convention to naming the commits. Check this question about it in semantic-release FAQ
FAQs
Storyblok RichText Resolver
The npm package @storyblok/richtext receives a total of 31,624 weekly downloads. As such, @storyblok/richtext popularity was classified as popular.
We found that @storyblok/richtext demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 8 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.