@braintree/sanitize-url
Advanced tools
Package description
The @braintree/sanitize-url npm package is designed to help developers ensure that URLs are safe for use within their applications. It provides functionality to sanitize URLs, removing potentially malicious or harmful content. This can be particularly useful in preventing XSS (Cross-Site Scripting) attacks by ensuring that only safe and valid URLs are allowed.
Sanitize URLs
This feature allows you to sanitize a URL, ensuring it is safe to use. If the URL contains potentially harmful JavaScript or other malicious content, it is replaced with 'about:blank', indicating that the original URL was not safe. This is particularly useful for preventing XSS attacks.
"use strict";
const sanitizeUrl = require('@braintree/sanitize-url').sanitizeUrl;
let safeUrl = sanitizeUrl('javascript:alert(document.cookie)');
console.log(safeUrl); // 'about:blank'
safeUrl = sanitizeUrl('https://www.example.com');
console.log(safeUrl); // 'https://www.example.com'While primarily focused on sanitizing HTML input to prevent XSS attacks, sanitize-html can also be used to sanitize URLs within HTML content. It offers a broader range of sanitization features compared to @braintree/sanitize-url, which is specifically focused on URLs.
DOMPurify is another library that can sanitize HTML and prevent XSS attacks. It can be used to sanitize URLs within the context of HTML content. DOMPurify provides a wide range of options for customization and is more focused on HTML content sanitization, whereas @braintree/sanitize-url is specifically tailored for URL sanitization.
xss-filters is a library designed to prevent XSS attacks through various filtering mechanisms, including URL filtering. It offers a suite of secure and context-aware escaping functions. Compared to @braintree/sanitize-url, xss-filters provides a broader approach to XSS prevention, including but not limited to URL sanitization.
Changelog
6.0.0
Breaking Changes
// decodes to javacript:alert('XSS')
const vulnerableUrl =
"javascript:alert('XSS')";
sanitizeUrl(vulnerableUrl); // 'about:blank'
const okUrl = "https://example.com/" + vulnerableUrl;
// since the javascript bit is in the path instead of the protocol
// this is successfully sanitized
sanitizeUrl(okUrl); // 'https://example.com/javascript:alert('XSS');
Readme
npm install -S @braintree/sanitize-url
var sanitizeUrl = require("@braintree/sanitize-url").sanitizeUrl;
sanitizeUrl("https://example.com"); // 'https://example.com'
sanitizeUrl("http://example.com"); // 'http://example.com'
sanitizeUrl("www.example.com"); // 'www.example.com'
sanitizeUrl("mailto:hello@example.com"); // 'mailto:hello@example.com'
sanitizeUrl(
"https://example.com"
); // https://example.com
sanitizeUrl("javascript:alert(document.domain)"); // 'about:blank'
sanitizeUrl("jAvasCrIPT:alert(document.domain)"); // 'about:blank'
sanitizeUrl(decodeURIComponent("JaVaScRiP%0at:alert(document.domain)")); // 'about:blank'
// HTML encoded javascript:alert('XSS')
sanitizeUrl(
"javascript:alert('XSS')"
); // 'about:blank'
FAQs
A url sanitizer
The npm package @braintree/sanitize-url receives a total of 1,075,627 weekly downloads. As such, @braintree/sanitize-url popularity was classified as popular.
We found that @braintree/sanitize-url demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
A hospital in Mobile, Alabama, agreed to a settlement in a landmark ransomware death lawsuit, but is now reportedly reconsidering the agreement and refusing to pay.
Security News
A new report explores how advancements in LLMs are enhancing cyber threats, including polymorphic malware, personalized spearphishing, and the risk of hijacking customer service bots.
Security News
ESLint has approved an RFC that adds support for TypeScript configuration files, which is aimed at improving the developer experience and recognizing changes in the evolving JavaScript ecosystem.