@barkleapp/css-sanitizer
Advanced tools
A lightweight, configurable CSS sanitizer to prevent XSS attacks by filtering out potentially harmful CSS properties and values.
npm install @barkleapp/css-sanitizer
import { CssSanitizer } from 'css-sanitizer';
const sanitizer = new CssSanitizer();
const unsanitizedCss = `
body {
background: url('https://example.com/image.jpg');
color: red;
}
`;
const sanitizedCss = sanitizer.sanitizeCss(unsanitizedCss);
console.log(sanitizedCss);
You can customize the sanitizer's behavior by passing a configuration object:
const customSanitizer = new CssSanitizer({
maxCssLength: 100000,
allowedProperties: ['custom-property'],
allowedAtRules: ['@custom-media'],
allowedPseudoClasses: [':has'],
validateUrl: (url) => {
// Custom URL validation logic
return url.startsWith('https://');
},
sanitizeUrl: (url) => {
// Custom URL sanitization logic
const allowedDomains = ['example.com', 'trusteddomain.com'];
const parsedUrl = new URL(url);
if (allowedDomains.includes(parsedUrl.hostname)) {
return url;
}
return '';
}
});
CssSanitizerThe main class for sanitizing CSS.
new CssSanitizer(config)
config (optional): An object with the following properties:
maxCssLength (number): Maximum allowed length of CSS string.allowedProperties (Array): Additional CSS properties to allow.allowedAtRules (Array): Additional at-rules to allow.allowedPseudoClasses (Array): Additional pseudo-classes to allow.validateUrl (function): Custom function to validate URLs.sanitizeUrl (function): Custom function to sanitize URLs.sanitizeCss(css: string): stringSanitizes the input CSS string by removing potentially harmful properties and values.
css: The CSS string to sanitize.maxCssLength (default: 65536)Maximum allowed length of the CSS string. If the input CSS exceeds this length, it will be truncated.
allowedProperties (default: see code)A set of allowed CSS properties. You can add to this list by providing an array of additional properties in the constructor.
allowedAtRules (default: ['@media', '@keyframes', '@font-face', '@import'])A set of allowed at-rules. You can add to this list by providing an array of additional at-rules in the constructor.
allowedPseudoClasses (default: [':hover', ':active', ':focus', ':visited', ':first-child', ':last-child', ':nth-child', ':nth-of-type', ':not', ':before', ':after'])A set of allowed pseudo-classes. You can add to this list by providing an array of additional pseudo-classes in the constructor.
validateUrl (function)A function that takes a URL string and returns a boolean indicating whether the URL is valid. By default, it checks if the string can be parsed as a valid URL.
sanitizeUrl (function)A function that takes a URL string and returns either the sanitized URL string or an empty string if the URL is not allowed. By default, it allows URL from 'fonts.googleapis.com'.
MIT
FAQs
A CSS sanitizer to prevent XSS attacks
The npm package @barkleapp/css-sanitizer receives a total of 2,963 weekly downloads. As such, @barkleapp/css-sanitizer popularity was classified as popular.
We found that @barkleapp/css-sanitizer demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
An emerging npm supply chain attack that infects repos, steals CI secrets, and targets developer AI toolchains for further compromise.
Company News
Socket is proud to join the OpenJS Foundation as a Silver Member, deepening our commitment to the long-term health and security of the JavaScript ecosystem.
Security News
npm now links to Socket's security analysis on every package page. Here's what you'll find when you click through.