v7.3.0: 📚 EPUB Support, an Extended Markdown Dialect & Security Hardening
I am thrilled to announce the release of officeParser v7.3.0! This release adds EPUB as a
first-class parsed and generated format, brings the Markdown/HTML pipeline up to parity with
the rest of the ecosystem (task lists, admonitions, footnotes, citations, wikilinks, and more),
and closes out a full security-hardening pass across the engine.
Warning
Behavior change: standalone: false
HtmlGeneratorConfig.standalone (plain boolean false) now emits a genuinely bare HTML
fragment — no <style>, no <script> — instead of the old global, unscoped stylesheet that
would leak onto whatever page you embedded it in. If you relied on that stylesheet, use
standalone: { document: false } instead, which reproduces the old output byte-for-byte.
🌟 Key Pillars of the v7.3.0 Update
1. EPUB Support (Parser & Generator)
epub is now a first-class format on both sides.
- Parsing:
EpubParserunzips the archive, resolves the spine's reading order, and parses
each XHTML document through the existingHtmlParser— so EPUB content gets the same AST
shape (and the same Markdown-dialect fidelity below) as every other format. Dublin Core
metadata (title, author, description, language, etc.) maps straight intoast.metadata. - Generating:
EpubGeneratorproduces a valid, strict-XHTML EPUB 3 archive, with images
packaged as real zip entries (notdata:URIs, which most e-readers won't render). ⚠️ PassextractAttachments: truewhen converting to/from EPUB if the document has images —
OfficeConverter.convert()already does this for you.
2. A Much Richer Markdown Dialect
The following now round-trip through both the Markdown and HTML pipelines:
- GFM task lists —
- [x] Done/- [ ] Todo - Admonitions/alerts — GitHub's
> [!NOTE]and GitLab's:::note ... ::: - Real footnotes —
[^id]references and definitions (previously faked as blockquotes) - Definition lists & abbreviations — Markdown Extra style
- Pandoc attribute lists —
{width=50% .centered}on images and tables - Citations —
[@citekey] - Wikilinks — Obsidian-style
[[Page]]/[[Page|Alias]] - Math — inline
$...$and block$$...$$LaTeX now tokenise instead of passing through as
plain text - MDX import stripping — JSX tags are stripped on import (parse-only; never authored back out)
- Frontmatter arrays —
tags: [a, b]now parses to a real array, not a literal string
Plus long-standing HTML round-trip gaps closed: image size/alignment, table alignment, merged
cells (colspan/rowspan), and YouTube embeds all now survive a save → reload cycle instead of
being write-only.
3. Granular HTML Envelope Control
HtmlGeneratorConfig.standalone now accepts an object, not just a boolean:
htmlConfig: {
standalone: {
document: false, // drop the <html>/<head>/<body> shell
styles: 'scoped', // new: CSS wrapped in @scope so it can't leak onto a host page
// metaTags, scripts, headInjections, bodyInjections all independently toggleable
}
}Every field defaults to its "on" (fully-standalone) value when omitted, so { document: false }
alone gives you a fully-styled fragment with just the outer shell removed. See the breaking-change
note above for what moved.
4. Security Hardening
A pass across the whole engine treating every parsed document as untrusted input:
- Centralized output sanitization (
src/utils/sanitize.ts) — every generator now escapes
document-derived text per destination context: HTML/XML attributes, inline CSS (blocks
url()/expression()/javascript:), URLs (rejects script-executing schemes), inline<script>
payloads, CSV cells (formula/DDE injection), RTF control words, and Markdown text/URLs. - Zip bomb protection — decompression now caps against actual inflated bytes as they stream
in, not the ZIP header's (attacker-controlled) declared size. - DoS hardening — removed an O(n²) hot path in HTML parsing, capped recursion depth on
malicious element nesting, and capped the MDX-unwrap loop's iteration count. - SSRF hardening — PDF generation now blocks the rendering browser from fetching any remote
resource that isn't an inline image or the configured chart CDN. - PDF parsing hardening — disabled pdf.js's
eval-based fast path for untrusted PDFs.
All covered by a new dedicated security regression suite (npm run test:security).
🔧 Also in This Release
- Fixed: Standalone bookmark-anchor blocks and table cells using the alignment-div fallback
now survive a Markdown save → reload cycle instead of degrading into escaped literal text. - Testing: A new exhaustive fixture suite (
npm run test:exhaustive) covering every AST
construct per format, run as part of the standard test gate alongside the existing
baseline/parity suites. - Docs: README and SECURITY.md now spell out officeParser's security posture plainly — I
actively harden the library against malicious input (see above), but as with any software, no
guarantee of being lapse-free is possible, and responsibility for a compromised input file's
downstream impact ultimately rests with the consumer of the library. See the new
Security & Trust Boundary
section in the README.
🛠 Getting Started
npm install officeparser@7.3.0🔗 Full Changelog: View v7.3.0 details
🔗 Documentation & Visualizer: officeparser.harshankur.com