Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
preact-parser
Advanced tools
When dealing with HTML strings in Preact, our only real option is to use `dangerouslySetInnerHTML`. This is fine(-ish) if you 100% trust the contents of that HTML, but regardless, it opens up potential vectors for attack, problems and bugs. Ideally, we'd
When dealing with HTML strings in Preact, our only real option is to use dangerouslySetInnerHTML
. This is fine(-ish) if you 100% trust the contents of that HTML, but regardless, it opens up potential vectors for attack, problems and bugs. Ideally, we'd be able to sanitise, and convert this HTML into VDom nodes that can be natively rendered in the same manner as defined JSX or h()
calls.
This lightweight package (2KB GZipped) accepts an HTML string (doesn't have to contain HTML, can be text), parses it, and returns a tree of VDom nodes ready to render by Preact. It can work both on the client (Dom Parser) and the server, so is ideal for isomorphic applications.
It automatically strips <script />
tags, so you no longer have to worry about someone "accidentally" adding an alert('Hello')
in your CMS / API of choice.
Install with Yarn:
$ yarn add preact-parser
Install with NPM:
$ npm i preact-parser
preact-parser
exports a single function, parse()
, that accepts a string of HTML or text, and can be used directly within your component trees. As mentioned above, in the browser it makes use of the native DOM parser, and on the server uses a tiny, efficient string parser.
For example:
import { parse } from 'preact-parser';
/*[...]*/
const htmlApiResponse = `
<p>Contrary to popular belief, Lorem Ipsum is not simply random text.</p>
<p>There are many variations of passages of Lorem Ipsum available</p>
<script>
alert('Gotcha!');
</script>
`;
/*[...]*/
function BlogContent() {
return <article class="content">{parse(htmlApiResponse)}</article>;
}
When rendered, the above will output:
<p>Contrary to popular belief, Lorem Ipsum is not simply random text.</p>
<p>There are many variations of passages of Lorem Ipsum available</p>
The server side HTML string parser in this package takes inspiration from the fantastically fast node-html-parser
. That package provides a full DOM representation, including methods, which was overkill for this. In order to keep the size of preact-parser
to a minimum, we've made use of the excellent parsing function found there.
FAQs
When dealing with HTML strings in Preact, our only real option is to use `dangerouslySetInnerHTML`. This is fine(-ish) if you 100% trust the contents of that HTML, but regardless, it opens up potential vectors for attack, problems and bugs. Ideally, we'd
The npm package preact-parser receives a total of 1,219 weekly downloads. As such, preact-parser popularity was classified as popular.
We found that preact-parser demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.