-
Notifications
You must be signed in to change notification settings - Fork 27.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using dompurify with SSR or Server Component fails with webpack error #46893
Comments
Looking into the So it seems like something like this should work: import DOMPurify from "dompurify";
import { JSDOM } from "jsdom";
export default function Home() {
return (
<div
dangerouslySetInnerHTML={{
- __html: DOMPurify.sanitize(
+ __html: DOMPurify((new JSDOM("<!DOCTYPE html>")).window).sanitize(
"<img src=x onerror=alert(1)//>"
),
}}
/>
);
} And indeed, then we get new error messages:
This can be tracked down to here: Where there is no concrete solution, but it seems like Then after installing
So maybe it needs something to be marked as externals in the webpack config.... 🤔 eg. like this:
Tried adding
So maybe
After restarting the dev server and reloading the page, this works! (image is supposed to be broken) |
TLDR version: To use CodeSandbox Demo: https://codesandbox.io/p/sandbox/lingering-river-j5fpi7?file=%2Fapp%2Fpage.tsx |
@timneutkens @ijjk would you accept a PR for adding |
cc @JesseKoldewijn, in case this approach is accepted by the team and you want to get another PR in for Next.js! |
What seems to be the package that throws up? Canvas or jsdom? |
As in, from what I understand after reading through this issue it seems like canvas is supposed to be a peer dep. of jsdom. |
Ill take a look into it in a sec. Currently omw home🤙 |
Hey sorry, something came up regarding my grandpa that got incurable sick about 2 weeks ago (or rather we found out about it last week). I'll take a look tomorrow at work at this current issue and will keep y'all in the loop. Sorry for the delay. |
@JesseKoldewijn no worries, just when you get a chance. The packages |
has that already be done? or shall I do that for y'all |
Hasn't been done yet, nope! If you want to get another PR in, go ahead :) |
Will do! 👍 |
Thanks for the PR and merge @JesseKoldewijn @ijjk ! 🙌 From a first look, seems like CodeSandbox demo: https://codesandbox.io/p/sandbox/quirky-gagarin-speccj?file=%2Fapp%2Fpage.tsx |
One thing that is kind of unusual to me is this extra $ yarn dev
$ next dev
ready - started server on 0.0.0.0:3000, url: http://localhost:3000
warn - You have enabled experimental feature (appDir) in next.config.js.
warn - Experimental features are not covered by semver, and may cause unexpected or broken application behavior. Use at your own risk.
info - Thank you for testing `appDir` please leave your feedback at https://nextjs.link/app-feedback
event - compiled client and server successfully in 963 ms (262 modules)
wait - compiling...
wait - compiling /page (client and server)...
event - compiled client and server successfully in 1038 ms (451 modules)
wait - compiling /_error (client and server)...
event - compiled client and server successfully in 151 ms (452 modules) If I remove the |
I've also seen that error compile pop up when using framer motion presence (the page transition component) so I'm not really sure where that _error compile wait comes from. |
Ah gotcha |
This closed issue has been automatically locked because it had no new activity for a month. If you are running into a similar issue, please create a new issue with the steps to reproduce. Thank you. |
Verify canary release
Provide environment information
Operating System: Platform: linux Arch: x64 Version: #22 SMP Tue Jan 10 18:39:00 UTC 2023 Binaries: Node: 16.17.0 npm: 8.15.0 Yarn: 1.22.19 pnpm: 7.1.0 Relevant packages: next: 13.2.4-canary.5 eslint-config-next: N/A react: 18.2.0 react-dom: 18.2.0
Which area(s) of Next.js are affected? (leave empty if unsure)
App directory (appDir: true)
Link to the code that reproduces this issue
https://codesandbox.io/p/sandbox/angry-thunder-s7tvqk?file=%2Fapp%2Fpage.tsx
To Reproduce
app/page.tsx
This kind of works in the
pages/
directory (the image appears in the browser), although still throws an error while rendering in SSR.Describe the Bug
It seems that the
dompurify
library does not support Node.js usage out of the box.One recommendation from Stack Overflow is to use
isomorphic-dompurify
(300k weekly downloads vs 3.5m fordompurify
)Expected Behavior
dompurify
works out of the box with Next.js and Node.jsRelated issues
Which browser are you using? (if relevant)
No response
How are you deploying your application? (if relevant)
No response
The text was updated successfully, but these errors were encountered: