Last 12 weeks · 114 commits
5 of 6 standards met
builds its result with . treats sequences in the replacement string specially, and is a valid pathname character. So a pathname containing followed by , , backtick or a quote gets corrupted when a trailing slash is added or removed. For example, with : /docs/a$$b becomes /docs/a$b/ /docs/a$&b becomes /docs/a/docs/a$&bb/ runs on real user-facing links through `trailingSlashnewPathnamenewPathname + path.slice(pathname.length)pathnamepath.split(/[#?]/)[0]$$`. This change was prepared with AI assistance, disclosed per the contributing guide.
Description The function in uses to display a value derived from : While the practical exploitability is low (browsers percent-encode in ), this pattern causes every Docusaurus project to be flagged by automated security scanners (SAST/DAST) as a DOM-based XSS vulnerability — user-controlled input flowing into a dangerous DOM sink without sanitization. CWE: CWE-79 — Improper Neutralization of Input During Web Page Generation (Cross-site Scripting), DOM-based variant Impact Downstream scanner noise: Tools like Snyk, SonarQube, Semgrep, CodeQL, and AWS ACAT flag this in the generated build output of every Docusaurus site with (the default). This creates security tickets across thousands of organizations. Defense-in-depth: Even though browsers currently percent-encode in URLs, relying on browser encoding behavior for XSS prevention is not a recognized secure coding practice. Future browser changes, non-standard URL handling, or server-side URL rewriting could alter this assumption. Semantic correctness: is always a URL path string (e.g., ). Displaying text via is a code smell — is the semantically correct API. Reproduction 1. Build any Docusaurus site (e.g., ) 2. Run a SAST scanner against the generated output 3. Scanner identifies assignment of as DOM-based XSS (CWE-79) Suggested Fix One-line change — replace with : This renders identically (the value is always a plain path string) with zero functional side effects. Note:** The assignment on line 57 should remain unchanged — is a trusted HTML template generated at build time containing DOM elements (`main`) Affects all versions since the feature was introduced (PR #3621)
Motivation Fixes #12214. builds the auto / by scanning a doc line by line. It strips HTML/JSX with , which only matches a tag that opens and closes on the same line. When the first content node is a multi-line JSX/MDX element, only its first line is seen (e.g. `inHTMLinImportinCode>creates excerpt after a multi-line JSX elementmarkdownUtils.test.ts<MyComponentdocusaurus-utils` unit tests.
Summary Fixes #8061. This adds a option to , allowing projects to keep generated versioned docs and sidebars outside the site directory. By default, nothing changes: versioned docs are still written to the site directory under and . Motivation Some projects keep their docs content outside the Docusaurus site root, but always writes generated version folders back into the site directory. This makes monorepo and multi-docs setups harder to organize. With , the docs plugin can write: under a configured directory instead. Changes Adds to the docs plugin options and TypeScript types. Updates version metadata path resolution to read versioned docs/sidebars from the configured path. Updates the CLI flow to write generated docs/sidebars to that path. Documents the new option in the plugin API docs and versioning guide. Adds regression coverage for the new path helpers and CLI behavior. Related issue Fixes #8061. Test plan AI-assisted.
Repository: facebook/docusaurus. Description: Easy to maintain open source documentation websites. Stars: 65481, Forks: 9950. Primary language: TypeScript. Languages: TypeScript (95.9%), JavaScript (2%), CSS (1.8%), XSLT (0.2%), AppleScript (0.1%). License: MIT. Homepage: https://docusaurus.io Topics: documentation, hacktoberfest, javascript, open-source, react, website. Latest release: v3.10.1 (2mo ago). Open PRs: 91, open issues: 290. Last activity: 5d ago. Community health: 87%. Top contributors: slorber, lex111, endiliey, Josh-Cena, yangshun, dependabot[bot], JoelMarcey, deltice, ericnakagawa, SamChou19815 and others.