Skip to content

Releases: Cascades-CSS/CSS-to-HTML

Version 0.8.4

Version 0.8.4 Pre-release
Pre-release

Choose a tag to compare

@Gigabyte5671 Gigabyte5671 released this 23 Sep 10:19

Version 0.8.3

Version 0.8.3 Pre-release
Pre-release

Choose a tag to compare

@Gigabyte5671 Gigabyte5671 released this 04 Apr 23:38
  • Updates various dependencies (a6e7b22)

Version 0.8.2

Version 0.8.2 Pre-release
Pre-release

Choose a tag to compare

@Gigabyte5671 Gigabyte5671 released this 26 Feb 20:06

Version 0.8.1

Version 0.8.1 Pre-release
Pre-release

Choose a tag to compare

@Gigabyte5671 Gigabyte5671 released this 05 Dec 19:02

Version 0.8.0

Version 0.8.0 Pre-release
Pre-release

Choose a tag to compare

@Gigabyte5671 Gigabyte5671 released this 28 Sep 03:47

Static Script

CSS-to-HTML can now be used as a static script.
To do so, download css-to-html.js from the assets section below. Then include the script in your site:

<script src="path/to/css-to-html.js"></script>

<script>
const css = 'p { color: purple; }';

cssToHtml(css).then(html => {
    console.log(html);
});
</script>

Make sure to check the releases page frequently for updates.

Version 0.7.1

Version 0.7.1 Pre-release
Pre-release

Choose a tag to compare

@Gigabyte5671 Gigabyte5671 released this 25 Sep 20:54

Version 0.7.0

Version 0.7.0 Pre-release
Pre-release

Choose a tag to compare

@Gigabyte5671 Gigabyte5671 released this 09 Sep 20:03

Nested Selectors

The CSS nesting module and the nesting selector are now supported. For example, the following CSS:

main {
    display: flex;

    & section {
        content: 'A';
    }

    .message:is(.warning) {
        color: orange;
    }
}

Will now produce:

<body>
    <main>
        <section>A</section>
    </main>
</body>

Version 0.6.2

Version 0.6.2 Pre-release
Pre-release

Choose a tag to compare

@Gigabyte5671 Gigabyte5671 released this 20 May 19:41

Updates DOMPurify dependency to 3.1.4, bringing with it support for Popover API attributes.

Version 0.6.1

Version 0.6.1 Pre-release
Pre-release

Choose a tag to compare

@Gigabyte5671 Gigabyte5671 released this 15 May 21:12

Fixes a bug that allowed certain element attributes to run external scripts before the element was actually added to the DOM.

Important

If you were already relying on the sanitization options provided in v0.6.0 it is recommended that you update to v0.6.1 immediately.

Version 0.6.0

Version 0.6.0 Pre-release
Pre-release

Choose a tag to compare

@Gigabyte5671 Gigabyte5671 released this 14 May 10:02

Sanitization

Generated HTML output is now sanitized by default. This should lower the risk of any XSS vulnerabilities arising from use with user generated or copy-pasted CSS. For example, the following CSS:

img[onload="console.log('foo')"] {
    content: 'malicious.png';
}

script {
    content: 'fetch("http://malicious.com/").then(() => alert(1));';
}

When un-sanitized will produce:

<body>
    <img src="malicious.png" onload="console.log('foo')">
    <script>
        fetch("http://malicious.com/").then(() => alert(1));
    </script>
</body>

But when sanitized will instead produce:

<body>
    <img src="malicious.png">
    <script></script>
</body>

Options

If you're using CSS-to-HTML as part of a framework or build process, elements like this may actually be desired. For cases like this, a new option has been added to configure the sanitization behaviour:

Option Values Description
sanitize all * Sanitize the generated HTML using DOMPurify.
imports Only sanitize the HTML generated from imported stylesheets.
off Don't sanitize the generated HTML.

Breaking Changes

Important

Because sanitization is enabled by default, certain CSS inputs may produce different HTML outputs than before.
It is recommended to double-check your use case before updating.