Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

preact-parser

Package Overview
Dependencies
Maintainers
1
Versions
11
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

preact-parser

When dealing with HTML strings in Preact, our only real option is to use `dangerouslySetInnerHTML`. This is fine(-ish) if you 100% trust the contents of that HTML, but regardless, it opens up potential vectors for attack, problems and bugs. Ideally, we'd

  • 1.3.7
  • latest
  • Source
  • npm
  • Socket score
Version published
Weekly downloads
716
decreased by-45.84%
Maintainers
1
Weekly downloads
 
Created
Source

preact-parser

When dealing with HTML strings in Preact, our only real option is to use dangerouslySetInnerHTML. This is fine(-ish) if you 100% trust the contents of that HTML, but regardless, it opens up potential vectors for attack, problems and bugs. Ideally, we'd be able to sanitise, and convert this HTML into VDom nodes that can be natively rendered in the same manner as defined JSX or h() calls.

This lightweight package (2KB GZipped) accepts an HTML string (doesn't have to contain HTML, can be text), parses it, and returns a tree of VDom nodes ready to render by Preact. It can work both on the client (Dom Parser) and the server, so is ideal for isomorphic applications.

It automatically strips <script /> tags, so you no longer have to worry about someone "accidentally" adding an alert('Hello') in your CMS / API of choice.

Getting Started

Install with Yarn:

$ yarn add preact-parser

Install with NPM:

$ npm i preact-parser

Using parse()

preact-parser exports a single function, parse(), that accepts a string of HTML or text, and can be used directly within your component trees. As mentioned above, in the browser it makes use of the native DOM parser, and on the server uses a tiny, efficient string parser.

For example:

import { parse } from 'preact-parser';

/*[...]*/

const htmlApiResponse = `
   <p>Contrary to popular belief, Lorem Ipsum is not simply random text.</p>
   <p>There are many variations of passages of Lorem Ipsum available</p>
   <script>
      alert('Gotcha!');
   </script>
`;

/*[...]*/

function BlogContent() {
  return <article class="content">{parse(htmlApiResponse)}</article>;
}

When rendered, the above will output:

<p>Contrary to popular belief, Lorem Ipsum is not simply random text.</p>
<p>There are many variations of passages of Lorem Ipsum available</p>

Acknowledgement

The server side HTML string parser in this package takes inspiration from the fantastically fast node-html-parser. That package provides a full DOM representation, including methods, which was overkill for this. In order to keep the size of preact-parser to a minimum, we've made use of the excellent parsing function found there.

Keywords

FAQs

Package last updated on 25 May 2023

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Supply Chain Attack Detected in Solana's web3.js Library

Security News

Supply Chain Attack Detected in Solana's web3.js Library

A supply chain attack has been detected in versions 1.95.6 and 1.95.7 of the popular @solana/web3.js library.

By Sarah Gooding  -  Dec 03, 2024
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc