@storyblok/richtext
v3.0.2
Published
Storyblok RichText Resolver
Downloads
171,502
Readme
🚀 Usage
If you are first-time user of the Storyblok, read the Getting Started guide to get a project ready in less than 5 minutes.
Installation
npm install @storyblok/richtext
or yarn
:
yarn add @storyblok/richtext
or pnpm
:
pnpm add @storyblok/richtext
Basic
import { richTextResolver } from '@storyblok/richtext';
const { render } = richTextResolver();
const html = render(doc);
document.querySelector<HTMLDivElement>('#app')!.innerHTML = `
<div>
${html}
</div>
`;
Overwrite resolvers
To overwrite an existing resolver, you can pass a property called resolvers available on the richTextResolver
options.
import { MarkTypes, richTextResolver } from '@storyblok/richtext';
const html = richTextResolver({
resolvers: {
[MarkTypes.LINK]: (node) => {
return `<button href="${node.attrs?.href}" target="${node.attrs?.target}">${node.children}</button>`;
},
},
}).render(doc);
Typing with Generics
It is possible to ensure correct typing support in a framework-agnostic way by using Typescript Generics
- Vanilla
string
- Vue
VNode
- React
React.ReactElement
This way the @storyblok/richtext
is ignorant of framework specific types, avoiding having to import them and having vue
react
etc as dependencies.
// Vanilla
const options: StoryblokRichTextOptions<string> = {
resolvers: {
[MarkTypes.LINK]: (node: Node<string>) => {
return `<button href="${node.attrs?.href}" target="${node.attrs?.target}">${node.children}</button>`;
},
},
};
const html = richTextResolver<string>(options).render(doc);
// Vue
const options: StoryblokRichTextOptions<VNode> = {
renderFn: h,
keyedResolvers: true,
};
const root = () => richTextResolver<VNode>(options).render(doc);
// React
const options: StoryblokRichTextOptions<React.ReactElement> = {
renderFn: React.createElement,
keyedResolvers: true,
};
const root = () => richTextResolver<React.ReactElement>(options).render(doc);
Optimize Images
To optimize images in the richtext, you can use the optimizeImages
property on the richTextResolver
options. For the full list of available options, check the Image Optimization documentation.
import { richTextResolver } from '@storyblok/richtext';
const html = richTextResolver({
optimizeImages: {
class: 'my-peformant-image',
loading: 'lazy',
width: 800,
height: 600,
srcset: [400, 800, 1200, 1600],
sizes: ['(max-width: 400px) 100vw', '50vw'],
filters: {
format: 'webp',
quality: 10,
grayscale: true,
blur: 10,
brightness: 10,
},
},
}).render(doc);
Security: HTML Output Sanitization
[!WARNING] This package does not provide proper HTML sanitization by default
The @storyblok/richtext
package primarly converts rich text content into HTML strings, which can then be rendered into the DOM of a web page. This means that any HTML output generated by the rich text resolver includes the raw content as it is defined in Storyblok, which may potentially include harmful or malicious scripts.
Why is Sanitization Important?
Injecting unsanitized HTML into your web application can expose it to cross-site scripting (XSS) attacks. XSS attacks can allow attackers to execute malicious scripts in the context of your website, potentially leading to data theft, session hijacking, and other security breaches.
Your Responsibility
As a developer using @storyblok/richtext
, you are responsible for sanitizing the HTML output from the rich text resolver before injecting it into the DOM. This precaution helps prevent XSS attacks and ensures a safer web environment for your users.
Recommended Sanitization Libraries
To assist you in sanitizing HTML content, we recommend using the following library:
sanitize-html: A simple HTML sanitizer with a flexible API that can adjust to a wide range of applications.
GitHub: sanitize-html
Example Usage
Here is an example of how you might sanitize HTML output using sanitize-html
before rendering it to the DOM:
import sanitizeHtml from 'sanitize-html';
import { richTextResolver } from '@storyblok/richtext';
const html = richTextResolver().render(yourRichTextContent);
const sanitizedHTML = sanitizeHtml(html, {
allowedTags: sanitizeHtml.defaults.allowedTags.concat(['img', 'figure', 'figcaption']),
allowedAttributes: {
...sanitizeHtml.defaults.allowedAttributes,
img: ['src', 'alt', 'title']
}
});
document.getElementById('your-element-id').innerHTML = sanitizedHTML;
Setup
pnpm install
This command will install the dependencies for the workspace, including the dependencies for the playgrounds under /playground
and different framework wrappers /packages
Run Playground
To run the vanilla Typescript playground:
pnpm run playground
Vue playground:
pnpm run playground:vue
React playground:
pnpm run playground:react
Alternatively you can run the following command to run all the playgrounds:
pnpm run playground:all
Build
To build the core package:
pnpm run build
To build the wrappers under /packages
:
pnpm run build:packages
Lint
To lint the core package:
pnpm run lint
To lint the wrappers under /packages
:
pnpm run lint:packages
Alternatively, you can run the following command to fix the linting issues:
pnpm run lint:fix
Test
To run the tests for the core package:
pnpm run test
🔗 Related Links
- Storyblok Technology Hub: Storyblok integrates with every framework so that you are free to choose the best fit for your project. We prepared the technology hub so that you can find selected beginner tutorials, videos, boilerplates, and even cheatsheets all in one place.
- Getting Started: Get a project ready in less than 5 minutes.
- Storyblok CLI: A simple CLI for scaffolding Storyblok projects and fieldtypes.
ℹ️ More Resources
Support
- Bugs or Feature Requests? Submit an issue.
- Do you have questions about Storyblok or you need help? Join our Discord Community.
Contributing
Please see our contributing guidelines and our code of conduct. This project use semantic-release for generate new versions by using commit messages and we use the Angular Convention to naming the commits. Check this question about it in semantic-release FAQ