micromark-util-sanitize-uri
micromark utility to sanitize urls.
Contents
What is this?
This package exposes an algorithm to make URLs safe.
When should I use this?
This package might be useful when you are making your own micromark extensions.
Install
This package is ESM only.
In Node.js (version 16+), install with npm:
npm install micromark-util-sanitize-uri
In Deno with esm.sh
:
import {sanitizeUri} from 'https://esm.sh/micromark-util-sanitize-uri@1'
In browsers with esm.sh
:
<script type="module">
import {sanitizeUri} from 'https://esm.sh/micromark-util-sanitize-uri@1?bundle'
</script>
Use
import {sanitizeUri} from 'micromark-util-sanitize-uri'
sanitizeUri('https://example.com/a&b')
sanitizeUri('https://example.com/a%b')
sanitizeUri('https://example.com/a%20b')
sanitizeUri('https://example.com/👍')
sanitizeUri('https://example.com/', /^https?$/i)
sanitizeUri('javascript:alert(1)', /^https?$/i)
sanitizeUri('./example.jpg', /^https?$/i)
sanitizeUri('#a', /^https?$/i)
API
This module exports the identifiers normalizeUri
and
sanitizeUri
.
There is no default export.
normalizeUri(value)
Normalize a URL.
Encode unsafe characters with percent-encoding, skipping already encoded
sequences.
Parameters
value
(string
)
— URI to normalize
Returns
Normalized URI (string
).
sanitizeUri(url[, pattern])
Make a value safe for injection as a URL.
This encodes unsafe characters with percent-encoding and skips already
encoded sequences (see normalizeUri
).
Further unsafe characters are encoded as character references (see
micromark-util-encode
).
A regex of allowed protocols can be given, in which case the URL is sanitized.
For example, /^(https?|ircs?|mailto|xmpp)$/i
can be used for a[href]
, or
/^https?$/i
for img[src]
(this is what github.com
allows).
If the URL includes an unknown protocol (one not matched by protocol
, such
as a dangerous example, javascript:
), the value is ignored.
Parameters
url
(string
)
— URI to sanitizepattern
(RegExp
, optional)
— allowed protocols
Returns
Sanitized URI (string
).
Types
This package is fully typed with TypeScript.
It exports no additional types.
Compatibility
Projects maintained by the unified collective are compatible with maintained
versions of Node.js.
When we cut a new major release, we drop support for unmaintained versions of
Node.
This means we try to keep the current release line,
micromark-util-sanitize-uri@2
, compatible with Node.js 16.
This package works with micromark@3
.
Security
This package is safe.
See security.md
in micromark/.github
for how to
submit a security report.
Contribute
See contributing.md
in micromark/.github
for ways
to get started.
See support.md
for ways to get help.
This project has a code of conduct.
By interacting with this repository, organisation, or community you agree to
abide by its terms.
License
MIT © Titus Wormer