sanitize-html - npm Package Compare versions

Comparing version 1.1.5 to 1.1.7

index.js

		var htmlparser = require('htmlparser2');
		var _ = require('lodash');
		var ent = require('ent');
		var he = require('he');

		@@ -157,3 +157,3 @@ module.exports = sanitizeHtml;
		// So we don't get faked out by a hex or decimal escaped javascript URL #1
		href = ent.decode(href);
		href = he.decode(href);
		// Browsers ignore character codes of 32 (space) and below in a surprising
		@@ -170,3 +170,3 @@ // number of situations. Start reading here:
		var scheme = matches[1].toLowerCase();
		return (!_.contains(['http', 'https', 'ftp', 'mailto' ], scheme));
		return (!_.contains(options.allowedSchemes, scheme));
		}
		@@ -187,10 +187,13 @@ }
		// Lots of these won't come up by default because we don't allow them
		selfClosing: [ 'img', 'br', 'hr', 'area', 'base', 'basefont', 'input', 'link', 'meta' ]
		selfClosing: [ 'img', 'br', 'hr', 'area', 'base', 'basefont', 'input', 'link', 'meta' ],
		// URL schemes we permit
		allowedSchemes: [ 'http', 'https', 'ftp', 'mailto' ]
		};

		sanitizeHtml.simpleTransform = function(newTagName, newAttribs, merge) {
		merge = (merge == undefined) ? true : merge;
		merge = (merge === undefined) ? true : merge;
		newAttribs = newAttribs \|\| {};

		return function(tagName, attribs) {
		var attrib;
		if (merge) {
		@@ -207,4 +210,4 @@ for (attrib in newAttribs) {
		attribs: attribs
		}
		};
		};
		};

package.json

		{
		"name": "sanitize-html",
		"version": "1.1.5",
		"version": "1.1.7",
		"description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis",
		@@ -24,6 +24,6 @@ "main": "index.js",
		"dependencies": {
		"lodash": "2.4.x",
		"he": "~0.4.1",
		"htmlparser2": "~3.3.0",
		"ent": "~0.1.0"
		"lodash": "2.4.x"
		}
		}

README.md

		@@ -54,7 +54,3 @@ # sanitize-html

		allowedTags: [ 'h3', 'h4', 'h5', 'h6', 'blockquote',
		'p', 'a', 'ul', 'ol', 'nl', 'li', 'b', 'i', 'strong',
		'em', 'strike', 'code', 'hr', 'br', 'div',
		'table', 'thead', 'caption', 'tbody', 'tr', 'th', 'td',
		'pre' ],
		allowedTags: [ 'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol', 'nl', 'li', 'b', 'i', 'strong', 'em', 'strike', 'code', 'hr', 'br', 'div', 'table', 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre' ],
		allowedAttributes: {
		@@ -66,6 +62,6 @@ a: [ 'href', 'name', 'target' ],
		},
		// Lots of these won't come up by default because
		// we don't allow them
		selfClosing: [ 'img', 'br', 'hr', 'area', 'base',
		'basefont', 'input', 'link', 'meta' ]
		// Lots of these won't come up by default because we don't allow them
		selfClosing: [ 'img', 'br', 'hr', 'area', 'base', 'basefont', 'input', 'link', 'meta' ],
		// URL schemes we permit
		allowedSchemes: [ 'http', 'https', 'ftp', 'mailto' ]

		@@ -117,6 +113,10 @@ ### Transformations

		You can provide a filter function to remove unwanted tags. Let's suppose we need to remove empty `a` tags like
		You can provide a filter function to remove unwanted tags. Let's suppose we need to remove empty `a` tags like:

		```html
		<a href="page/html"></a>
		<a href="page.html"></a>
		```

		We can do that with the following filter:

		```javascript
		@@ -133,3 +133,27 @@ sanitizeHtml(

		### Allowed URL schemes

		By default we allow the following URL schemes in cases where `href`, `src`, etc. are allowed:

		[ 'http', 'https', 'ftp', 'mailto' ]

		You can override this if you want to:

		```javascript
		sanitizeHtml(
		// teeny-tiny valid transparent GIF in a data URL
		'<img src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" />',
		{
		allowedTags: [ 'img', 'p' ],
		allowedSchemes: [ 'data', 'http' ]
		}
		);
		```

		## Changelog

		1.1.6: `allowedSchemes` option for those who want to permit `data` URLs and such.

		1.1.5: just a packaging thing.

		1.1.4: custom exclusion filter.
		@@ -136,0 +160,0 @@

test/test.js

		@@ -87,13 +87,38 @@ var assert = require("assert");
		it('should skip empty a', function() {
		assert.equal(
		sanitizeHtml('<p>This is <a href="http://www.linux.org"></a><br/>Linux</p>',
		{
		exclusiveFilter : function(frame) {
		return frame.tag === 'a' && !frame.text.trim();
		}
		}),
		'<p>This is <br />Linux</p>'
		);
		assert.equal(
		sanitizeHtml('<p>This is <a href="http://www.linux.org"></a><br/>Linux</p>',
		{
		exclusiveFilter : function(frame) {
		return frame.tag === 'a' && !frame.text.trim();
		}
		}),
		'<p>This is <br />Linux</p>'
		);
		});
		it('should disallow data URLs with default allowedSchemes', function() {
		assert.equal(
		sanitizeHtml(
		// teeny-tiny valid transparent GIF in a data URL
		'<img src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" />',
		{
		allowedTags: [ 'img' ]
		}
		),
		'<img src />'
		);
		});
		it('should allow data URLs with custom allowedSchemes', function() {
		assert.equal(
		sanitizeHtml(
		// teeny-tiny valid transparent GIF in a data URL
		'<img src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" />',
		{
		allowedTags: [ 'img', 'p' ],
		allowedSchemes: [ 'data', 'http' ]
		}
		),
		'<img src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" />'
		);
		});
		});

sanitize-html - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Dependency changes