Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
hast-util-from-html
Advanced tools
hast utility that turns HTML into a syntax tree.
This package is a utility that takes HTML input and turns it into a hast syntax tree.
If you want to handle syntax trees manually, use this.
Use parse5
instead when you just want to parse HTML and don’t care
about hast.
You can also use hast-util-from-parse5
and
parse5
yourself, or use the rehype plugin
rehype-parse
, which wraps this utility to also parse HTML at
a higher-level (easier) abstraction.
xast-util-from-xml
can be used if you are dealing with
XML instead of HTML.
If you might run in a browser and prefer a ligher alternative, while not caring
about positional info, parse errors, and consistency across browsers, use
hast-util-from-html-isomorphic
, which
wraps this in Node and uses browser APIs otherwise.
Finally you can use the utility hast-util-to-html
for
the inverse of this utility.
It turns hast into HTML.
This package is ESM only. In Node.js (version 16+), install with npm:
npm install hast-util-from-html
In Deno with esm.sh
:
import {fromHtml} from 'https://esm.sh/hast-util-from-html@2'
In browsers with esm.sh
:
<script type="module">
import {fromHtml} from 'https://esm.sh/hast-util-from-html@2?bundle'
</script>
import {fromHtml} from 'hast-util-from-html'
const tree = fromHtml('<h1>Hello, world!</h1>', {fragment: true})
console.log(tree)
Yields:
{
type: 'root',
children: [
{
type: 'element',
tagName: 'h1',
properties: {},
children: [Array],
position: [Object]
}
],
data: { quirksMode: false },
position: {
start: { line: 1, column: 1, offset: 0 },
end: { line: 1, column: 23, offset: 22 }
}
}
This package exports the identifier fromHtml
.
There is no default export.
fromHtml(value[, options])
Turn serialized HTML into a hast tree.
value
(Compatible
)
— serialized HTML to parseoptions
(Options
, optional)
— configurationTree (Root
).
ErrorCode
Known names of parse errors (TypeScript type).
type ErrorCode =
| 'abandonedHeadElementChild'
| 'abruptClosingOfEmptyComment'
| 'abruptDoctypePublicIdentifier'
// … see readme on `options[key in ErrorCode]` above.
ErrorSeverity
Error severity (TypeScript type).
export type ErrorSeverity =
// Turn the parse error off:
| 0
| false
// Turn the parse error into a warning:
| 1
| true
// Turn the parse error into an actual error: processing stops.
| 2
OnError
Function called when encountering HTML parse errors.
error
(VFileMessage
)
— messageNothing (void
).
Options
Configuration (TypeScript type).
options.space
Which space the document is in ('html'
or 'svg'
, default: 'html'
).
When an <svg>
element is found in the HTML space, hast-util-from-html
already automatically switches to and from the SVG space when entering and
exiting it.
👉 Note: this is not an XML parser. It supports SVG as embedded in HTML. It does not support the features available in XML. Passing SVG files might break but fragments of modern SVG should be fine. Use
xast-util-from-xml
to parse XML.
👉 Note: make sure to set
fragment: true
ifspace: 'svg'
.
options.verbose
Add extra positional info about attributes, start tags, and end tags
(boolean
, default: false
).
options.fragment
Whether to parse as a fragment (boolean
, default: false
).
The default is to expect a whole document.
In document mode, unopened html
, head
, and body
elements are opened.
options.onerror
Function called when encountering HTML parse errors
(OnError
, optional).
options[key in ErrorCode]
Specific parse errors can be configured by setting their identifiers (see
ErrorCode
) as keys directly in options
to an
ErrorSeverity
as value.
The list of parse errors:
abandonedHeadElementChild
— unexpected metadata element after head (example)abruptClosingOfEmptyComment
— unexpected abruptly closed empty comment (example)abruptDoctypePublicIdentifier
— unexpected abruptly closed public identifier (example)abruptDoctypeSystemIdentifier
— unexpected abruptly closed system identifier (example)absenceOfDigitsInNumericCharacterReference
— unexpected non-digit at start of numeric character reference (example)cdataInHtmlContent
— unexpected CDATA section in HTML (example)characterReferenceOutsideUnicodeRange
— unexpected too big numeric character reference (example)closingOfElementWithOpenChildElements
— unexpected closing tag with open child elements (example)controlCharacterInInputStream
— unexpected control character (example)controlCharacterReference
— unexpected control character reference (example)disallowedContentInNoscriptInHead
— disallowed content inside <noscript>
in <head>
(example)duplicateAttribute
— unexpected duplicate attribute (example)endTagWithAttributes
— unexpected attribute on closing tag (example)endTagWithTrailingSolidus
— unexpected slash at end of closing tag (example)endTagWithoutMatchingOpenElement
— unexpected unopened end tag (example)eofBeforeTagName
— unexpected end of file (example)eofInCdata
— unexpected end of file in CDATA (example)eofInComment
— unexpected end of file in comment (example)eofInDoctype
— unexpected end of file in doctype (example)eofInElementThatCanContainOnlyText
— unexpected end of file in element that can only contain text (example)eofInScriptHtmlCommentLikeText
— unexpected end of file in comment inside script (example)eofInTag
— unexpected end of file in tag (example)incorrectlyClosedComment
— incorrectly closed comment (example)incorrectlyOpenedComment
— incorrectly opened comment (example)invalidCharacterSequenceAfterDoctypeName
— invalid sequence after doctype name (example)invalidFirstCharacterOfTagName
— invalid first character in tag name (example)misplacedDoctype
— misplaced doctype (example)misplacedStartTagForHeadElement
— misplaced <head>
start tag (example)missingAttributeValue
— missing attribute value (example)missingDoctype
— missing doctype before other content (example)missingDoctypeName
— missing doctype name (example)missingDoctypePublicIdentifier
— missing public identifier in doctype (example)missingDoctypeSystemIdentifier
— missing system identifier in doctype (example)missingEndTagName
— missing name in end tag (example)missingQuoteBeforeDoctypePublicIdentifier
— missing quote before public identifier in doctype (example)missingQuoteBeforeDoctypeSystemIdentifier
— missing quote before system identifier in doctype (example)missingSemicolonAfterCharacterReference
— missing semicolon after character reference (example)missingWhitespaceAfterDoctypePublicKeyword
— missing whitespace after public identifier in doctype (example)missingWhitespaceAfterDoctypeSystemKeyword
— missing whitespace after system identifier in doctype (example)missingWhitespaceBeforeDoctypeName
— missing whitespace before doctype name (example)missingWhitespaceBetweenAttributes
— missing whitespace between attributes (example)missingWhitespaceBetweenDoctypePublicAndSystemIdentifiers
— missing whitespace between public and system identifiers in doctype (example)nestedComment
— unexpected nested comment (example)nestedNoscriptInHead
— unexpected nested <noscript>
in <head>
(example)nonConformingDoctype
— unexpected non-conforming doctype declaration (example)nonVoidHtmlElementStartTagWithTrailingSolidus
— unexpected trailing slash on start tag of non-void element (example)noncharacterCharacterReference
— unexpected noncharacter code point referenced by character reference (example)noncharacterInInputStream
— unexpected noncharacter character (example)nullCharacterReference
— unexpected NULL character referenced by character reference (example)openElementsLeftAfterEof
— unexpected end of file (example)surrogateCharacterReference
— unexpected surrogate character referenced by character reference (example)surrogateInInputStream
— unexpected surrogate characterunexpectedCharacterAfterDoctypeSystemIdentifier
— invalid character after system identifier in doctype (example)unexpectedCharacterInAttributeName
— unexpected character in attribute name (example)unexpectedCharacterInUnquotedAttributeValue
— unexpected character in unquoted attribute value (example)unexpectedEqualsSignBeforeAttributeName
— unexpected equals sign before attribute name (example)unexpectedNullCharacter
— unexpected NULL character (example)unexpectedQuestionMarkInsteadOfTagName
— unexpected question mark instead of tag name (example)unexpectedSolidusInTag
— unexpected slash in tag (example)unknownNamedCharacterReference
— unexpected unknown named character reference (example)The following example shows the difference between parsing as a document and parsing as a fragment:
import {fromHtml} from 'hast-util-from-html'
const doc = '<title>Hi!</title><h1>Hello!</h1>'
console.log(fromHtml(doc))
console.log(fromHtml(doc, {fragment: true}))
…yields (positional info and data omitted for brevity):
{
type: 'root',
children: [
{type: 'element', tagName: 'html', properties: {}, children: [Array]}
]
}
{
type: 'root',
children: [
{type: 'element', tagName: 'title', properties: {}, children: [Array]},
{type: 'element', tagName: 'h1', properties: {}, children: [Array]}
]
}
👉 Note: observe that when a whole document is expected (first example), missing elements are opened and closed.
<html>
The following example shows how whitespace is handled when around and directly
inside the <html>
element:
import {fromHtml} from 'hast-util-from-html'
import {inspect} from 'unist-util-inspect'
const doc = `<!doctype html>
<html lang=en>
<head>
<title>Hi!</title>
</head>
<body>
<h1>Hello!</h1>
</body>
</html>`
console.log(inspect(fromHtml(doc)))
…yields:
root[2] (1:1-9:8, 0-119)
│ data: {"quirksMode":false}
├─0 doctype (1:1-1:16, 0-15)
└─1 element<html>[3] (2:1-9:8, 16-119)
│ properties: {"lang":"en"}
├─0 element<head>[3] (3:3-5:10, 33-72)
│ │ properties: {}
│ ├─0 text "\n " (3:9-4:5, 39-44)
│ ├─1 element<title>[1] (4:5-4:23, 44-62)
│ │ │ properties: {}
│ │ └─0 text "Hi!" (4:12-4:15, 51-54)
│ └─2 text "\n " (4:23-5:3, 62-65)
├─1 text "\n " (5:10-6:3, 72-75)
└─2 element<body>[3] (6:3-8:10, 75-111)
│ properties: {}
├─0 text "\n " (6:9-7:5, 81-86)
├─1 element<h1>[1] (7:5-7:20, 86-101)
│ │ properties: {}
│ └─0 text "Hello!" (7:9-7:15, 90-96)
└─2 text "\n \n" (7:20-9:1, 101-112)
👉 Note: observe that the line ending before
<html>
is ignored, the line ending and two spaces before<head>
is moved inside it, and the line ending after</body>
is moved before it.
This behavior is described by the HTML standard (see the section 13.2.6.4.1 “The ‘initial’ insertion mode” and adjacent states) which we follow.
The changes to this meaningless whitespace should not matter, except when
formatting markup, in which case rehype-format
can be used to
improve the source code.
The following example shows how HTML parse errors can be enabled and configured:
import {fromHtml} from 'hast-util-from-html'
const doc = `<!doctypehtml>
<title class="a" class="b">Hello…</title>
<h1/>World!</h1>`
fromHtml(doc, {
onerror: console.log,
missingWhitespaceBeforeDoctypeName: 2, // Mark one as a fatal error.
nonVoidHtmlElementStartTagWithTrailingSolidus: false // Ignore one.
})
…yields:
[1:10-1:10: Missing whitespace before doctype name] {
ancestors: undefined,
cause: undefined,
column: 10,
fatal: true,
line: 1,
place: {
start: { line: 1, column: 10, offset: 9 },
end: { line: 1, column: 10, offset: 9 }
},
reason: 'Missing whitespace before doctype name',
ruleId: 'missing-whitespace-before-doctype-name',
source: 'hast-util-from-html',
note: 'Unexpected `h`. Expected ASCII whitespace instead',
url: 'https://html.spec.whatwg.org/multipage/parsing.html#parse-error-missing-whitespace-before-doctype-name'
}
[2:23-2:23: Unexpected duplicate attribute] {
ancestors: undefined,
cause: undefined,
column: 23,
fatal: false,
line: 2,
place: {
start: { line: 2, column: 23, offset: 37 },
end: { line: 2, column: 23, offset: 37 }
},
reason: 'Unexpected duplicate attribute',
ruleId: 'duplicate-attribute',
source: 'hast-util-from-html',
note: 'Unexpectedly double attribute. Expected attributes to occur only once',
url: 'https://html.spec.whatwg.org/multipage/parsing.html#parse-error-duplicate-attribute'
}
🧑🏫 Info: messages in unified are warnings instead of errors. Other linters (such as ESLint) almost always use errors. Why? Those tools only check code style. They don’t generate, transform, and format code, which is what we focus on, too. Errors in unified mean the same as an exception in your JavaScript code: a crash. That’s why we use warnings instead, because we can continue doing work.
HTML is parsed according to WHATWG HTML (the living standard), which is also followed by browsers such as Chrome and Firefox.
This package is fully typed with TypeScript.
It exports the additional types
ErrorCode
, ErrorSeverity
,
OnError
, and Options
.
Projects maintained by the unified collective are compatible with maintained versions of Node.js.
When we cut a new major release, we drop support for unmaintained versions of
Node.
This means we try to keep the current release line, hast-util-from-html@^2
,
compatible with Node.js 16.
Parsing HTML is safe but using user-provided content can open you up to a
cross-site scripting (XSS) attack.
Use hast-util-santize
to make the hast tree safe.
hast-util-to-html
— serialize hasthast-util-sanitize
— sanitize hastxast-util-from-xml
— parse XMLSee contributing.md
in syntax-tree/.github
for
ways to get started.
See support.md
for ways to get help.
This project has a code of conduct. By interacting with this repository, organization, or community you agree to abide by its terms.
FAQs
hast utility to parse from HTML
We found that hast-util-from-html demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.