Skip to content

v7.3.0

Latest

Choose a tag to compare

@github-actions github-actions released this 12 Jul 21:09

v7.3.0: 📚 EPUB Support, an Extended Markdown Dialect & Security Hardening

I am thrilled to announce the release of officeParser v7.3.0! This release adds EPUB as a
first-class parsed and generated format, brings the Markdown/HTML pipeline up to parity with
the rest of the ecosystem (task lists, admonitions, footnotes, citations, wikilinks, and more),
and closes out a full security-hardening pass across the engine.

Warning

Behavior change: standalone: false
HtmlGeneratorConfig.standalone (plain boolean false) now emits a genuinely bare HTML
fragment — no <style>, no <script> — instead of the old global, unscoped stylesheet that
would leak onto whatever page you embedded it in. If you relied on that stylesheet, use
standalone: { document: false } instead, which reproduces the old output byte-for-byte.


🌟 Key Pillars of the v7.3.0 Update

1. EPUB Support (Parser & Generator)

epub is now a first-class format on both sides.

  • Parsing: EpubParser unzips the archive, resolves the spine's reading order, and parses
    each XHTML document through the existing HtmlParser — so EPUB content gets the same AST
    shape (and the same Markdown-dialect fidelity below) as every other format. Dublin Core
    metadata (title, author, description, language, etc.) maps straight into ast.metadata.
  • Generating: EpubGenerator produces a valid, strict-XHTML EPUB 3 archive, with images
    packaged as real zip entries (not data: URIs, which most e-readers won't render).
  • ⚠️ Pass extractAttachments: true when converting to/from EPUB if the document has images —
    OfficeConverter.convert() already does this for you.

2. A Much Richer Markdown Dialect

The following now round-trip through both the Markdown and HTML pipelines:

  • GFM task lists- [x] Done / - [ ] Todo
  • Admonitions/alerts — GitHub's > [!NOTE] and GitLab's :::note ... :::
  • Real footnotes[^id] references and definitions (previously faked as blockquotes)
  • Definition lists & abbreviations — Markdown Extra style
  • Pandoc attribute lists{width=50% .centered} on images and tables
  • Citations[@citekey]
  • Wikilinks — Obsidian-style [[Page]] / [[Page|Alias]]
  • Math — inline $...$ and block $$...$$ LaTeX now tokenise instead of passing through as
    plain text
  • MDX import stripping — JSX tags are stripped on import (parse-only; never authored back out)
  • Frontmatter arraystags: [a, b] now parses to a real array, not a literal string

Plus long-standing HTML round-trip gaps closed: image size/alignment, table alignment, merged
cells (colspan/rowspan), and YouTube embeds all now survive a save → reload cycle instead of
being write-only.

3. Granular HTML Envelope Control

HtmlGeneratorConfig.standalone now accepts an object, not just a boolean:

htmlConfig: {
  standalone: {
    document: false,      // drop the <html>/<head>/<body> shell
    styles: 'scoped',     // new: CSS wrapped in @scope so it can't leak onto a host page
    // metaTags, scripts, headInjections, bodyInjections all independently toggleable
  }
}

Every field defaults to its "on" (fully-standalone) value when omitted, so { document: false }
alone gives you a fully-styled fragment with just the outer shell removed. See the breaking-change
note above for what moved.

4. Security Hardening

A pass across the whole engine treating every parsed document as untrusted input:

  • Centralized output sanitization (src/utils/sanitize.ts) — every generator now escapes
    document-derived text per destination context: HTML/XML attributes, inline CSS (blocks
    url()/expression()/javascript:), URLs (rejects script-executing schemes), inline <script>
    payloads, CSV cells (formula/DDE injection), RTF control words, and Markdown text/URLs.
  • Zip bomb protection — decompression now caps against actual inflated bytes as they stream
    in, not the ZIP header's (attacker-controlled) declared size.
  • DoS hardening — removed an O(n²) hot path in HTML parsing, capped recursion depth on
    malicious element nesting, and capped the MDX-unwrap loop's iteration count.
  • SSRF hardening — PDF generation now blocks the rendering browser from fetching any remote
    resource that isn't an inline image or the configured chart CDN.
  • PDF parsing hardening — disabled pdf.js's eval-based fast path for untrusted PDFs.

All covered by a new dedicated security regression suite (npm run test:security).


🔧 Also in This Release

  • Fixed: Standalone bookmark-anchor blocks and table cells using the alignment-div fallback
    now survive a Markdown save → reload cycle instead of degrading into escaped literal text.
  • Testing: A new exhaustive fixture suite (npm run test:exhaustive) covering every AST
    construct per format, run as part of the standard test gate alongside the existing
    baseline/parity suites.
  • Docs: README and SECURITY.md now spell out officeParser's security posture plainly — I
    actively harden the library against malicious input (see above), but as with any software, no
    guarantee of being lapse-free is possible, and responsibility for a compromised input file's
    downstream impact ultimately rests with the consumer of the library. See the new
    Security & Trust Boundary
    section in the README.

🛠 Getting Started

npm install officeparser@7.3.0

🔗 Full Changelog: View v7.3.0 details
🔗 Documentation & Visualizer: officeparser.harshankur.com