Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
rehype-parse
Advanced tools
rehype-parse is a plugin for the unified processor that parses HTML into a syntax tree. It is part of the rehype ecosystem, which is a toolset for transforming HTML with plugins. This package is particularly useful for processing and manipulating HTML content programmatically.
Basic HTML Parsing
This feature allows you to parse a simple HTML string into a syntax tree. The code sample demonstrates how to parse an HTML string and inspect the resulting tree structure.
const unified = require('unified');
const parse = require('rehype-parse');
const inspect = require('unist-util-inspect');
const html = '<h1>Hello, world!</h1>';
const tree = unified()
.use(parse)
.parse(html);
console.log(inspect(tree));
Parsing with Options
This feature allows you to parse HTML with specific options. In this example, the 'fragment' option is set to true, which allows parsing of HTML fragments instead of full documents.
const unified = require('unified');
const parse = require('rehype-parse');
const inspect = require('unist-util-inspect');
const html = '<h1>Hello, world!</h1>';
const tree = unified()
.use(parse, { fragment: true })
.parse(html);
console.log(inspect(tree));
Integration with Other Plugins
This feature demonstrates how to integrate rehype-parse with other plugins in the rehype ecosystem. The code sample shows how to parse HTML and then stringify it back to HTML.
const unified = require('unified');
const parse = require('rehype-parse');
const stringify = require('rehype-stringify');
const html = '<h1>Hello, world!</h1>';
const output = unified()
.use(parse)
.use(stringify)
.processSync(html)
.toString();
console.log(output);
htmlparser2 is a fast and forgiving HTML/XML parser. It is more low-level compared to rehype-parse and provides a SAX-style parser, which can be more complex to use but offers more control over the parsing process.
parse5 is a highly compliant HTML parser that closely follows the WHATWG HTML specification. It is similar to rehype-parse in terms of compliance and ease of use but is a standalone parser without the plugin ecosystem that rehype offers.
jsdom is a JavaScript implementation of the DOM and HTML standards. It is more heavyweight compared to rehype-parse and is used for simulating a browser environment, making it suitable for more complex DOM manipulations and testing.
rehype plugin to add support for parsing from HTML.
This package is a unified (rehype) plugin that defines how to take HTML as input and turn it into a syntax tree. When it’s used, HTML can be parsed and other rehype plugins can be used after it.
See the monorepo readme for info on what the rehype ecosystem is.
This plugin adds support to unified for parsing HTML.
If you also need to serialize HTML, you can alternatively use
rehype
, which combines unified, this plugin, and
rehype-stringify
.
When you are in a browser, trust your content, don’t need positional info, and
value a smaller bundle size, you can use rehype-dom-parse
instead.
If you don’t use plugins and want to access the syntax tree, you can directly
use hast-util-from-html
, which is used inside this
plugin.
rehype focusses on making it easier to transform content by abstracting such
internals away.
This package is ESM only. In Node.js (version 16+), install with npm:
npm install rehype-parse
In Deno with esm.sh
:
import rehypeParse from 'https://esm.sh/rehype-parse@9'
In browsers with esm.sh
:
<script type="module">
import rehypeParse from 'https://esm.sh/rehype-parse@9?bundle'
</script>
Say we have the following module example.js
:
import rehypeParse from 'rehype-parse'
import rehypeRemark from 'rehype-remark'
import remarkStringify from 'remark-stringify'
import {unified} from 'unified'
const file = await unified()
.use(rehypeParse)
.use(rehypeRemark)
.use(remarkStringify)
.process('<h1>Hello, world!</h1>')
console.log(String(file))
…running that with node example.js
yields:
# Hello, world!
This package exports no identifiers.
The default export is rehypeParse
.
unified().use(rehypeParse[, options])
Plugin to add support for parsing from HTML.
options
(Options
, optional)
— configurationNothing (undefined
).
ErrorCode
Known names of parse errors (TypeScript type).
For a bit more info on each error, see
hast-util-from-html
.
type ErrorCode =
| 'abandonedHeadElementChild'
| 'abruptClosingOfEmptyComment'
| 'abruptDoctypePublicIdentifier'
| 'abruptDoctypeSystemIdentifier'
| 'absenceOfDigitsInNumericCharacterReference'
| 'cdataInHtmlContent'
| 'characterReferenceOutsideUnicodeRange'
| 'closingOfElementWithOpenChildElements'
| 'controlCharacterInInputStream'
| 'controlCharacterReference'
| 'disallowedContentInNoscriptInHead'
| 'duplicateAttribute'
| 'endTagWithAttributes'
| 'endTagWithTrailingSolidus'
| 'endTagWithoutMatchingOpenElement'
| 'eofBeforeTagName'
| 'eofInCdata'
| 'eofInComment'
| 'eofInDoctype'
| 'eofInElementThatCanContainOnlyText'
| 'eofInScriptHtmlCommentLikeText'
| 'eofInTag'
| 'incorrectlyClosedComment'
| 'incorrectlyOpenedComment'
| 'invalidCharacterSequenceAfterDoctypeName'
| 'invalidFirstCharacterOfTagName'
| 'misplacedDoctype'
| 'misplacedStartTagForHeadElement'
| 'missingAttributeValue'
| 'missingDoctype'
| 'missingDoctypeName'
| 'missingDoctypePublicIdentifier'
| 'missingDoctypeSystemIdentifier'
| 'missingEndTagName'
| 'missingQuoteBeforeDoctypePublicIdentifier'
| 'missingQuoteBeforeDoctypeSystemIdentifier'
| 'missingSemicolonAfterCharacterReference'
| 'missingWhitespaceAfterDoctypePublicKeyword'
| 'missingWhitespaceAfterDoctypeSystemKeyword'
| 'missingWhitespaceBeforeDoctypeName'
| 'missingWhitespaceBetweenAttributes'
| 'missingWhitespaceBetweenDoctypePublicAndSystemIdentifiers'
| 'nestedComment'
| 'nestedNoscriptInHead'
| 'nonConformingDoctype'
| 'nonVoidHtmlElementStartTagWithTrailingSolidus'
| 'noncharacterCharacterReference'
| 'noncharacterInInputStream'
| 'nullCharacterReference'
| 'openElementsLeftAfterEof'
| 'surrogateCharacterReference'
| 'surrogateInInputStream'
| 'unexpectedCharacterAfterDoctypeSystemIdentifier'
| 'unexpectedCharacterInAttributeName'
| 'unexpectedCharacterInUnquotedAttributeValue'
| 'unexpectedEqualsSignBeforeAttributeName'
| 'unexpectedNullCharacter'
| 'unexpectedQuestionMarkInsteadOfTagName'
| 'unexpectedSolidusInTag'
| 'unknownNamedCharacterReference'
ErrorSeverity
Error severity (TypeScript type).
0
or false
— turn the parse error off1
or true
— turn the parse error into a warning2
— turn the parse error into an actual error: processing stopstype ErrorSeverity = boolean | 0 | 1 | 2
Options
Configuration (TypeScript type).
👉 Note: this is not an XML parser. It supports SVG as embedded in HTML. It does not support the features available in XML. Passing SVG files might break but fragments of modern SVG should be fine. Use
xast-util-from-xml
to parse XML.
fragment
(boolean
, default: false
)
— whether to parse as a fragment; by default unopened html
, head
, and
body
elements are openedemitParseErrors
(boolean
, default: false
)
— whether to emit parse errors while parsingspace
('html'
or 'svg'
, default: 'html'
)
— which space the document is inverbose
(boolean
, default: false
)
— add extra positional info about attributes, start tags, and end tags[key in ErrorCode]
(ErrorSeverity
, default: 1
if
options.emitParseErrors
, otherwise 0
)
— configure specific parse errorsThe following example shows the difference between parsing as a document and parsing as a fragment:
import rehypeParse from 'rehype-parse'
import rehypeStringify from 'rehype-stringify'
import {unified} from 'unified'
const doc = '<title>Hi!</title><h1>Hello!</h1>'
console.log(
String(
await unified()
.use(rehypeParse, {fragment: true})
.use(rehypeStringify)
.process(doc)
)
)
console.log(
String(
await unified()
.use(rehypeParse, {fragment: false})
.use(rehypeStringify)
.process(doc)
)
)
…yields:
<title>Hi!</title><h1>Hello!</h1>
<html><head><title>Hi!</title></head><body><h1>Hello!</h1></body></html>
👉 Note: observe that when a whole document is expected (second example), missing elements are opened and closed.
<html>
The following example shows how whitespace is handled when around and directly
inside the <html>
element:
import rehypeParse from 'rehype-parse'
import rehypeStringify from 'rehype-stringify'
import {unified} from 'unified'
const doc = `<!doctype html>
<html lang=en>
<head>
<title>Hi!</title>
</head>
<body>
<h1>Hello!</h1>
</body>
</html>`
console.log(
String(await unified().use(rehypeParse).use(rehypeStringify).process(doc))
)
…yields (where ␠
represents a space character):
<!doctype html><html lang="en"><head>
<title>Hi!</title>
</head>
<body>
<h1>Hello!</h1>
␠␠
</body></html>
👉 Note: observe that the line ending before
<html>
is ignored, the line ending and two spaces before<head>
is moved inside it, and the line ending after</body>
is moved before it.
This behavior is described by the HTML standard (see the section 13.2.6.4.1 “The ‘initial’ insertion mode” and adjacent states) which rehype follows.
The changes to this meaningless whitespace should not matter, except when
formatting markup, in which case rehype-format
can be used to
improve the source code.
The following example shows how HTML parse errors can be enabled and configured:
import rehypeParse from 'rehype-parse'
import rehypeStringify from 'rehype-stringify'
import {unified} from 'unified'
import {reporter} from 'vfile-reporter'
const file = await unified()
.use(rehypeParse, {
emitParseErrors: true, // Emit all.
missingWhitespaceBeforeDoctypeName: 2, // Mark one as a fatal error.
nonVoidHtmlElementStartTagWithTrailingSolidus: false // Ignore one.
})
.use(rehypeStringify).process(`<!doctypehtml>
<title class="a" class="b">Hello…</title>
<h1/>World!</h1>`)
console.log(reporter(file))
…yields:
1:10-1:10 error Missing whitespace before doctype name missing-whitespace-before-doctype-name hast-util-from-html
2:23-2:23 warning Unexpected duplicate attribute duplicate-attribute hast-util-from-html
2 messages (✖ 1 error, ⚠ 1 warning)
🧑🏫 Info: messages in unified are warnings instead of errors. Other linters (such as ESLint) almost always use errors. Why? Those tools only check code style. They don’t generate, transform, and format code, which is what rehype and unified focus on, too. Errors in unified mean the same as an exception in your JavaScript code: a crash. That’s why we use warnings instead, because we continue checking more HTML and continue running more plugins.
HTML is parsed according to WHATWG HTML (the living standard), which is also followed by all browsers.
The syntax tree format used in rehype is hast.
This package is fully typed with TypeScript.
It exports the additional types ErrorCode
,
ErrorSeverity
, and
Options
.
Projects maintained by the unified collective are compatible with maintained versions of Node.js.
When we cut a new major release, we drop support for unmaintained versions of
Node.
This means we try to keep the current release line, rehype-parse@^9
,
compatible with Node.js 16.
As rehype works on HTML and improper use of HTML can open you up to a
cross-site scripting (XSS) attack, use of rehype can also be unsafe.
Use rehype-sanitize
to make the tree safe.
Use of rehype plugins could also open you up to other attacks. Carefully assess each plugin and the risks involved in using them.
For info on how to submit a report, see our security policy.
See contributing.md
in rehypejs/.github
for ways
to get started.
See support.md
for ways to get help.
This project has a code of conduct. By interacting with this repository, organization, or community you agree to abide by its terms.
Support this effort and give back by sponsoring on OpenCollective!
Vercel |
Motif |
HashiCorp |
GitBook |
Gatsby | ||||
Netlify |
Coinbase |
ThemeIsle |
Expo |
Boost Note |
Markdown Space |
Holloway | ||
You? |
FAQs
rehype plugin to parse HTML
We found that rehype-parse demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.