rehype-sanitize
Advanced tools
Readme
rehype plugin to sanitise HTML.
npm:
npm install rehype-sanitize
Say we have the following file, index.html:
<div onmouseover="alert('alpha')">
<a href="jAva script:alert('bravo')">delta</a>
<img src="x" onerror="alert('charlie')">
<iframe src="javascript:alert('delta')"></iframe>
<math>
<mi xlink:href="data:x,<script>alert('echo')</script>"></mi>
</math>
</div>
<script>
require('child_process').spawn('rm', ['-r', '-f', process.env.HOME]);
</script>
And our script, example.js, looks as follows:
var fs = require('fs')
var rehype = require('rehype')
var merge = require('deepmerge')
var gh = require('hast-util-sanitize/lib/github')
var sanitize = require('rehype-sanitize')
var schema = merge(gh, {tagNames: ['math', 'mi']})
rehype()
.data('settings', {fragment: true})
.use(sanitize, schema)
.process(fs.readFileSync('index.html'), function(err, file) {
if (err) throw err
console.log(String(file))
})
Now, running node example yields:
<div>
<a>delta</a>
<img src="x">
<math>
<mi></mi>
</math>
</div>
rehype().use(sanitize[, schema])Remove potentially dangerous things from HTML, or more correct: keep only safe the things in a document.
schemaThe sanitation schema defines how and if nodes and properties should be cleaned.
The schema is documented in hast-util-sanitize.
hast-util-sanitize
— Core utility that does the sanitationSee contributing.md in rehypejs/.github for ways
to get started.
See support.md for ways to get help.
This project has a Code of Conduct. By interacting with this repository, organisation, or community you agree to abide by its terms.
FAQs
rehype plugin to sanitize HTML
We found that rehype-sanitize demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
The US Justice Department has penalized two consulting firms $11.3 million for failing to meet cybersecurity requirements on federally funded projects, emphasizing strict enforcement to protect sensitive government data.
Security News
ua-parser-js is set to drop the MIT license and adopt a controversial dual AGPLv3 + PRO licensing model in its upcoming v2.0 release, raising significant concerns among developers and enterprise users.
Security News
Researchers recently demonstrated that the npm Registry is vulnerable to cache poisoning combined with DoS, posing significant risks for package availability.