preact-parser
Advanced tools
Readme
When dealing with HTML strings in Preact, our only real option is to use dangerouslySetInnerHTML. This is fine(-ish) if you 100% trust the contents of that HTML, but regardless, it opens up potential vectors for attack, problems and bugs. Ideally, we'd be able to sanitise, and convert this HTML into VDom nodes that can be natively rendered in the same manner as defined JSX or h() calls.
This lightweight package (2KB GZipped) accepts an HTML string (doesn't have to contain HTML, can be text), parses it, and returns a tree of VDom nodes ready to render by Preact. It can work both on the client (Dom Parser) and the server, so is ideal for isomorphic applications.
It automatically strips <script /> tags, so you no longer have to worry about someone "accidentally" adding an alert('Hello') in your CMS / API of choice.
Install with Yarn:
$ yarn add preact-parser
Install with NPM:
$ npm i preact-parser
preact-parser exports a single function, parse(), that accepts a string of HTML or text, and can be used directly within your component trees. As mentioned above, in the browser it makes use of the native DOM parser, and on the server uses a tiny, efficient string parser.
For example:
import { parse } from 'preact-parser';
/*[...]*/
const htmlApiResponse = `
<p>Contrary to popular belief, Lorem Ipsum is not simply random text.</p>
<p>There are many variations of passages of Lorem Ipsum available</p>
<script>
alert('Gotcha!');
</script>
`;
/*[...]*/
function BlogContent() {
return <article class="content">{parse(htmlApiResponse)}</article>;
}
When rendered, the above will output:
<p>Contrary to popular belief, Lorem Ipsum is not simply random text.</p>
<p>There are many variations of passages of Lorem Ipsum available</p>
The server side HTML string parser in this package takes inspiration from the fantastically fast node-html-parser. That package provides a full DOM representation, including methods, which was overkill for this. In order to keep the size of preact-parser to a minimum, we've made use of the excellent parsing function found there.
FAQs
When dealing with HTML strings in Preact, our only real option is to use `dangerouslySetInnerHTML`. This is fine(-ish) if you 100% trust the contents of that HTML, but regardless, it opens up potential vectors for attack, problems and bugs. Ideally, we'd
The npm package preact-parser receives a total of 82 weekly downloads. As such, preact-parser popularity was classified as not popular.
We found that preact-parser demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.