rehype-sanitize
![Chat](https://img.shields.io/badge/join%20the%20community-on%20spectrum-7b16ff.svg)
rehype plugin to sanitise HTML.
Install
npm:
npm install rehype-sanitize
Use
Say we have the following file, index.html
:
<div onmouseover="alert('alpha')">
<a href="jAva script:alert('bravo')">delta</a>
<img src="x" onerror="alert('charlie')">
<iframe src="javascript:alert('delta')"></iframe>
<math>
<mi xlink:href="data:x,<script>alert('echo')</script>"></mi>
</math>
</div>
<script>
require('child_process').spawn('rm', ['-r', '-f', process.env.HOME]);
</script>
And our script, example.js
, looks as follows:
var fs = require('fs')
var rehype = require('rehype')
var merge = require('deepmerge')
var gh = require('hast-util-sanitize/lib/github')
var sanitize = require('rehype-sanitize')
var schema = merge(gh, {tagNames: ['math', 'mi']})
rehype()
.data('settings', {fragment: true})
.use(sanitize, schema)
.process(fs.readFileSync('index.html'), function(err, file) {
if (err) throw err
console.log(String(file))
})
Now, running node example
yields:
<div>
<a>delta</a>
<img src="x">
<math>
<mi></mi>
</math>
</div>
API
rehype().use(sanitize[, schema])
Remove potentially dangerous things from HTML, or more correct: keep only safe
the things in a document.
schema
The sanitation schema defines how and if nodes and properties should be cleaned.
The schema is documented in hast-util-sanitize
.
Related
Contribute
See contributing.md
in rehypejs/.github
for ways
to get started.
See support.md
for ways to get help.
This project has a Code of Conduct.
By interacting with this repository, organisation, or community you agree to
abide by its terms.
License
MIT © Titus Wormer