htlengine icon indicating copy to clipboard operation
htlengine copied to clipboard
verified publisher icon adobe

feature: drop dependencies to improve runtime performance

Open jantimon opened this issue 5 years ago • 1 comments

lodash is used for very trivial checks:

https://github.com/adobe/htlengine/blob/56f6733d3b9f1b1535d2ad738e520200ed5f9e90/src/runtime/xss_api.js#L285

https://github.com/adobe/htlengine/blob/56f6733d3b9f1b1535d2ad738e520200ed5f9e90/src/runtime/xss_api.js#L289

https://github.com/adobe/htlengine/blob/56f6733d3b9f1b1535d2ad738e520200ed5f9e90/src/runtime/xss_api.js#L301

https://github.com/adobe/htlengine/blob/56f6733d3b9f1b1535d2ad738e520200ed5f9e90/src/runtime/xss_api.js#L315

maybe we can remove lodash to reduce the amount of security warnings poping up for lodash

jantimon avatar Jul 29 '20 12:07 jantimon

I did some further research and saw that we could probably also remove the xss code with the https://www.npmjs.com/package/dompurify npm package

This would remove also the following sub dependencies:

  • parse5 & xregexp & sanitizer & node-esapi

In sum that would save 50% of the runtime code (highlighted with blue): savings

jantimon avatar Jul 31 '20 07:07 jantimon