Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
org.webjars.npm:html-minifier-terser
Advanced tools
HTMLMinifier is a highly configurable, well-tested, JavaScript-based HTML minifier.
From NPM for use as a command line app:
npm install html-minifier-terser -g
From NPM for programmatic use:
npm install html-minifier-terser
Note that almost all options are disabled by default. Experiment and find what works best for you and your project.
For command line usage please see html-minifier-terser --help
for a list of available options.
Sample command line:
html-minifier-terser --collapse-whitespace --remove-comments --minify-js true
const { minify } = require('html-minifier-terser');
const result = await minify('<p title="blah" id="moo">foo</p>', {
removeAttributeQuotes: true,
});
result; // '<p title=blah id=moo>foo</p>'
See corresponding blog post for all the gory details of how it works, description of each option, testing results and conclusions.
Also see corresponding Ruby wrapper, and for Node.js, Grunt plugin, Gulp plugin, Koa middleware wrapper and Express middleware wrapper.
For lint-like capabilities take a look at HTMLLint.
How does HTMLMinifier compare to other solutions — HTML Minifier from Will Peavy (1st result in Google search for "html minifier") as well as htmlcompressor.com and minimize?
Site | Original size (KB) | HTMLMinifier | minimize | Will Peavy | htmlcompressor.com |
---|---|---|---|---|---|
52 | 48 | 52 | 54 | n/a | |
Stack Overflow | 177 | 143 | 154 | 154 | n/a |
HTMLMinifier | 252 | 171 | 230 | 250 | n/a |
Bootstrap CSS | 271 | 260 | 269 | 229 | n/a |
BBC | 355 | 324 | 353 | 344 | n/a |
Amazon | 466 | 430 | 456 | 474 | n/a |
469 | 394 | 462 | 513 | n/a | |
Wikipedia | 703 | 569 | 682 | 708 | n/a |
Eloquent Javascript | 870 | 815 | 840 | 864 | n/a |
NBC | 1701 | 1566 | 1689 | 1705 | n/a |
New York Times | 1731 | 1583 | 1726 | 1680 | n/a |
ES draft | 6296 | 5538 | 5733 | n/a | n/a |
Most of the options are disabled by default.
Option | Description | Default |
---|---|---|
caseSensitive | Treat attributes in case sensitive manner (useful for custom HTML tags) | false |
collapseBooleanAttributes | Omit attribute values from boolean attributes | false |
collapseInlineTagWhitespace | Don't leave any spaces between display:inline; elements when collapsing. Must be used in conjunction with collapseWhitespace=true | false |
collapseWhitespace | Collapse white space that contributes to text nodes in a document tree | false |
conservativeCollapse | Always collapse to 1 space (never remove it entirely). Must be used in conjunction with collapseWhitespace=true | false |
continueOnParseError | Handle parse errors instead of aborting. | false |
customAttrAssign | Arrays of regex'es that allow to support custom attribute assign expressions (e.g. '<div flex?="{{mode != cover}}"></div>' ) | [ ] |
customAttrCollapse | Regex that specifies custom attribute to strip newlines from (e.g. /ng-class/ ) | |
customAttrSurround | Arrays of regex'es that allow to support custom attribute surround expressions (e.g. <input {{#if value}}checked="checked"{{/if}}> ) | [ ] |
customEventAttributes | Arrays of regex'es that allow to support custom event attributes for minifyJS (e.g. ng-click ) | [ /^on[a-z]{3,}$/ ] |
decodeEntities | Use direct Unicode characters whenever possible | false |
html5 | Parse input according to HTML5 specifications | true |
ignoreCustomComments | Array of regex'es that allow to ignore certain comments, when matched | [ /^!/, /^\s*#/ ] |
ignoreCustomFragments | Array of regex'es that allow to ignore certain fragments, when matched (e.g. <?php ... ?> , {{ ... }} , etc.) | [ /<%[\s\S]*?%>/, /<\?[\s\S]*?\?>/ ] |
includeAutoGeneratedTags | Insert tags generated by HTML parser | true |
keepClosingSlash | Keep the trailing slash on singleton elements | false |
maxLineLength | Specify a maximum line length. Compressed output will be split by newlines at valid HTML split-points | |
minifyCSS | Minify CSS in style elements and style attributes (uses clean-css) | false (could be true , Object , Function(text, type) ) |
minifyJS | Minify JavaScript in script elements and event attributes (uses Terser) | false (could be true , Object , Function(text, inline) ) |
minifyURLs | Minify URLs in various attributes (uses relateurl) | false (could be String , Object , Function(text) ) |
noNewlinesBeforeTagClose | Never add a newline before a tag that closes an element | false |
preserveLineBreaks | Always collapse to 1 line break (never remove it entirely) when whitespace between tags include a line break. Must be used in conjunction with collapseWhitespace=true | false |
preventAttributesEscaping | Prevents the escaping of the values of attributes | false |
processConditionalComments | Process contents of conditional comments through minifier | false |
processScripts | Array of strings corresponding to types of script elements to process through minifier (e.g. text/ng-template , text/x-handlebars-template , etc.) | [ ] |
quoteCharacter | Type of quote to use for attribute values (' or ") | |
removeAttributeQuotes | Remove quotes around attributes when possible | false |
removeComments | Strip HTML comments | false |
removeEmptyAttributes | Remove all attributes with whitespace-only values | false (could be true , Function(attrName, tag) ) |
removeEmptyElements | Remove all elements with empty contents | false |
removeOptionalTags | Remove optional tags | false |
removeRedundantAttributes | Remove attributes when value matches default. | false |
removeScriptTypeAttributes | Remove type="text/javascript" from script tags. Other type attribute values are left intact | false |
removeStyleLinkTypeAttributes | Remove type="text/css" from style and link tags. Other type attribute values are left intact | false |
removeTagWhitespace | Remove space between attributes whenever possible. Note that this will result in invalid HTML! | false |
sortAttributes | Sort attributes by frequency | false |
sortClassName | Sort style classes by frequency | false |
trimCustomFragments | Trim white space around ignoreCustomFragments . | false |
useShortDoctype | Replaces the doctype with the short (HTML5) doctype | false |
Minifier options like sortAttributes
and sortClassName
won't impact the plain-text size of the output. However, they form long repetitive chains of characters that should improve compression ratio of gzip used in HTTP compression.
If you have chunks of markup you would like preserved, you can wrap them <!-- htmlmin:ignore -->
.
You can minify script tags with JSON-LD by setting the option { processScripts: ['application/ld+json'] }
. Note that this minification is very rudimentary, it is mainly useful for removing newlines and excessive whitespace.
SVG tags are automatically recognized, and when they are minified, both case-sensitivity and closing-slashes are preserved, regardless of the minification settings used for the rest of the file.
HTMLMinifier can't work with invalid or partial chunks of markup. This is because it parses markup into a tree structure, then modifies it (removing anything that was specified for removal, ignoring anything that was specified to be ignored, etc.), then it creates a markup out of that tree and returns it.
Input markup (e.g. <p id="">foo
)
↓
Internal representation of markup in a form of tree (e.g. { tag: "p", attr: "id", children: ["foo"] }
)
↓
Transformation of internal representation (e.g. removal of id
attribute)
↓
Output of resulting markup (e.g. <p>foo</p>
)
HTMLMinifier can't know that original markup was only half of the tree; it does its best to try to parse it as a full tree and it loses information about tree being malformed or partial in the beginning. As a result, it can't create a partial/malformed tree at the time of the output.
Benchmarks for minified HTML:
cd benchmarks
npm install
npm run benchmark
npm run serve
FAQs
WebJar for html-minifier-terser
We found that org.webjars.npm:html-minifier-terser demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.