sanitize-html-plus
Advanced tools
Comparing version 1.11.4-4 to 1.13.0-1
11
index.js
@@ -125,2 +125,3 @@ var htmlparser = require('htmlparser2'); | ||
| var skip = false; | ||
| var hasText = frame.text ? true : false; | ||
| var transformedTag; | ||
@@ -198,2 +199,5 @@ if (has(transformTagsMap, name)) { | ||
| result += ">"; | ||
| if (frame.innerText && !hasText && !options.textFilter) { | ||
| result += frame.innerText; | ||
| } | ||
| } | ||
@@ -300,2 +304,6 @@ }, | ||
| } | ||
| if (!options.escapeText) | ||
| return s; | ||
| return s.replace(/\&/g, '&').replace(/</g, '<').replace(/\>/g, '>').replace(/\"/g, '"'); | ||
@@ -360,3 +368,4 @@ } | ||
| allowedSchemes: [ 'http', 'https', 'ftp', 'mailto' ], | ||
| allowedSchemesByTag: {} | ||
| allowedSchemesByTag: {}, | ||
| escapeText: true | ||
| }; | ||
@@ -363,0 +372,0 @@ |
| { | ||
| "name": "sanitize-html-plus", | ||
| "version": "1.11.4-4", | ||
| "version": "1.13.0-1", | ||
| "description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis", | ||
| "main": "index.js", | ||
| "scripts": { | ||
| "test": "mocha test/test.js" | ||
| "build": "browserify index.js > dist/sanitize-html.js --standalone 'sanitizeHtml'", | ||
| "minify": "npm run build && uglifyjs dist/sanitize-html.js > dist/sanitize-html.min.js", | ||
| "test": "mocha test/test.js", | ||
| "prebuild": "npm run test && rm -rf dist && mkdir dist" | ||
| }, | ||
@@ -27,3 +30,8 @@ "repository": { | ||
| "xtend": "^4.0.0" | ||
| }, | ||
| "devDependencies": { | ||
| "browserify": "^13.0.1", | ||
| "mocha": "^2.5.3", | ||
| "uglify-js": "^2.6.2" | ||
| } | ||
| } |
@@ -27,2 +27,39 @@ **fork of sanitize-html to include [`options.styleFilter`](https://github.com/punkave/sanitize-html/pull/106) and [`pass the stack to textFilter`](https://github.com/punkave/sanitize-html/pulls/95)** | ||
| ### Browser | ||
| *Think first: why do you want to use it in the browser?* Remember, *servers must never trust browsers.* You can't sanitize HTML for saving on the server anywhere else but on the server. | ||
| But, perhaps you'd like to display sanitized HTML immediately in the browser for preview. Or ask the browser to do the sanitization work on every page load. You can if you want to! | ||
| * Clone repository | ||
| * Run npm install and build / minify: | ||
| ```bash | ||
| npm install | ||
| npm run minify | ||
| ``` | ||
| You'll find the minified and unminified versions of sanitize-html (with all its dependencies included) in the dist/ directory. | ||
| Use it in the browser: | ||
| ```html | ||
| <html> | ||
| <body> | ||
| <script type="text/javascript" src="dist/sanitize-html.js"></script> | ||
| <script type="text/javascript" src="demo.js"></script> | ||
| </body> | ||
| </html> | ||
| ``` | ||
| ```javascript | ||
| var html = "<strong>hello world</strong>"; | ||
| console.log(sanitizeHtml(html)); | ||
| console.log(sanitizeHtml("<img src=x onerror=alert('img') />")); | ||
| console.log(sanitizeHtml("console.log('hello world')")); | ||
| console.log(sanitizeHtml("<script>alert('hello world')</script>")); | ||
| ``` | ||
| ### Node (Recommended) | ||
| Install module from console: | ||
@@ -190,2 +227,25 @@ | ||
| You can also add or modify the text contents of a tag: | ||
| ```js | ||
| clean = sanitizeHtml(dirty, { | ||
| transformTags: { | ||
| 'a': function(tagName, attribs) { | ||
| return { | ||
| tagName: 'a', | ||
| text: 'Some text' | ||
| }; | ||
| } | ||
| } | ||
| }); | ||
| ``` | ||
| For example, you could transform a link element with missing anchor text: | ||
| ```js | ||
| <a href="http://somelink.com"></a> | ||
| ``` | ||
| To a link with anchor text: | ||
| ```js | ||
| <a href="http://somelink.com">Some text</a> | ||
| ``` | ||
| ### Filters | ||
@@ -306,2 +366,6 @@ | ||
| 1.13.0: `transformTags` can now add text to an element that initially had none. Thanks to Dushyant Singh. | ||
| 1.12.0: option to build for browser-side use. Thanks to Michael Blum. | ||
| 1.11.4: fixed crash when `__proto__` is a tag name. Now using a safe check for the existence of properties in all cases. Thanks to Andrew Krasichkov. | ||
@@ -308,0 +372,0 @@ |
@@ -147,2 +147,21 @@ var assert = require("assert"); | ||
| it('should add new text when not initially set and replace attributes when they are changed by transforming function', function () { | ||
| assert.equal(sanitizeHtml('<a href="http://somelink"></a>', { transformTags: {a: function (tagName, attribs) { | ||
| return { | ||
| tagName: tagName, | ||
| attribs: attribs, | ||
| text: 'some new text' | ||
| } | ||
| }}}), '<a href="http://somelink">some new text</a>'); | ||
| }); | ||
| it('should preserve text when initially set and replace attributes when they are changed by transforming function', function () { | ||
| assert.equal(sanitizeHtml('<a href="http://somelink">some initial text</a>', { transformTags: {a: function (tagName, attribs) { | ||
| return { | ||
| tagName: tagName, | ||
| attribs: attribs | ||
| } | ||
| }}}), '<a href="http://somelink">some initial text</a>'); | ||
| }); | ||
| it('should skip an empty link', function() { | ||
@@ -308,3 +327,3 @@ assert.strictEqual( | ||
| // separate attribute | ||
| '<img src="onmouseover="alert(\'XSS\');"" />' | ||
| '<img src="onmouseover="alert(\'XSS\');"" />' | ||
| ); | ||
@@ -510,2 +529,10 @@ }); | ||
| }); | ||
| it('should correctly NOT escape when asked', function() { | ||
| assert.equal( | ||
| sanitizeHtml('<span> < é </span>', { | ||
| allowedTags: false, | ||
| escapeText: false | ||
| }) | ||
| , '<span> < é </span>'); | ||
| }); | ||
| }); |
Sorry, the diff of this file is not supported yet
No alert changes
Improved metrics
- Total package byte prevSize
- increased by6.14%
58507
- Lines of code
- increased by3.79%
876
- Number of lines in readme file
- increased by15.72%
471
Worsened metrics
- Dev dependency count
- increased byInfinity%
3
No dependency changes