ember-dompurify
Advanced tools
Readme
A wrapper around DOMPurify.
DOMPurify sanitizes HTML and prevents XSS attacks. You can feed DOMPurify with string full of dirty HTML and it will return a string with clean HTML. DOMPurify will strip out everything that contains dangerous HTML and thereby prevent XSS attacks and other nastiness. It's also damn bloody fast. We use the technologies the browser provides and turn them into an XSS filter. The faster your browser, the faster DOMPurify will be.
ember i ember-dompurify
{{dom-purify '<img src="x" onerror=alert(1)>'}}
Returns an Ember.String.htmlSafe object:
<img src="x">
DOMPurify exposes a number of useful hooks. These hooks can be leveraged to initiate transforms on the HTML you are sanitizing, such as always inserting target="_blank" on all HTMLAnchorElement elements.
// app/dompurify-hooks/target-blank.js (built-in but an example of the public API)
import { Hook } from 'ember-dompurify';
export default class TargetBlankHook extends Hook {
afterSanitizeAttributes(node) {
if (node instanceof HTMLAnchorElement) {
node.setAttribute('target', '_blank');
node.setAttribute('rel', 'noopener');
}
}
}
{{dom-purify '<a src="https://google.com">Link</a>' hook='target-blank'}}
Result:
<a src="https://google.com" target="_blank" rel="noopener">Link</a>
Note: Multiple hooks can be provided as a string separated by spaces - i.e, {{dom-purify '<a src="https://google.com">Link</a>' hook='hook-one hook-two}})
These are commonly used and bundled with ember-dompurify. If you have other hooks you would like to add, please submit a PR or open an issue for a proposal.
#### target-blank
```hbs
{{dom-purify '<a src="https://google.com">Link</a>' hook='target-blank'}}
Result:
<a src="https://google.com" target="_blank" rel="noopener">Link</a>
import createDOMPurify from 'ember-dompurify';
const dompurify = createDOMPurify(window);
dompurify.sanitize('<img src="x" onerror=alert(1)/>'); // -> type: String, result: `<img src="x">`
All DOMPurify options are supported, DOMPurify options.
Example:
{{dom-purify model.notes keep-content=true}}
git clone <repository-url>cd ember-dompurifynpm installnpm run lint:jsnpm run lint:js -- --fixember test – Runs the test suite on the current Ember versionember test --server – Runs the test suite in "watch mode"npm test – Runs ember try:each to test your addon against multiple Ember versionsember serveFor more information on using ember-cli, visit https://ember-cli.com/.
This project is licensed under the MIT License
FAQs
An Ember addon that wraps DOMPurify.
The npm package ember-dompurify receives a total of 130 weekly downloads. As such, ember-dompurify popularity was classified as not popular.
We found that ember-dompurify demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
The Socket Research team found this npm package includes code for collecting sensitive developer information, including your operating system username, Git username, and Git email.
Security News
OpenJS is warning of social engineering takeovers targeting open source projects after receiving a credible attempt on the foundation.
Company News
Come meet the Socket team at BSidesSF and RSA! We're sponsoring several fun networking events and we would love to see you there.