sanitize-html
Advanced tools
Comparing version 1.11.1 to 1.11.2
{ | ||
"name": "sanitize-html", | ||
"version": "1.11.1", | ||
"version": "1.11.2", | ||
"description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis", | ||
@@ -5,0 +5,0 @@ "main": "index.js", |
184
README.md
@@ -25,18 +25,28 @@ # sanitize-html | ||
npm install sanitize-html | ||
Install module from console: | ||
var sanitizeHtml = require('sanitize-html'); | ||
```bash | ||
npm install sanitize-html | ||
``` | ||
var dirty = 'some really tacky HTML'; | ||
var clean = sanitizeHtml(dirty); | ||
Use it in your node app: | ||
```js | ||
var sanitizeHtml = require('sanitize-html'); | ||
var dirty = 'some really tacky HTML'; | ||
var clean = sanitizeHtml(dirty); | ||
``` | ||
That will allow our default list of allowed tags and attributes through. It's a nice set, but probably not quite what you want. So: | ||
// Allow only a super restricted set of tags and attributes | ||
clean = sanitizeHtml(dirty, { | ||
allowedTags: [ 'b', 'i', 'em', 'strong', 'a' ], | ||
allowedAttributes: { | ||
'a': [ 'href' ] | ||
} | ||
}); | ||
```js | ||
// Allow only a super restricted set of tags and attributes | ||
clean = sanitizeHtml(dirty, { | ||
allowedTags: [ 'b', 'i', 'em', 'strong', 'a' ], | ||
allowedAttributes: { | ||
'a': [ 'href' ] | ||
} | ||
}); | ||
``` | ||
@@ -47,5 +57,7 @@ Boom! | ||
clean = sanitizeHtml(dirty, { | ||
allowedTags: sanitizeHtml.defaults.allowedTags.concat([ 'img' ]) | ||
}); | ||
```js | ||
clean = sanitizeHtml(dirty, { | ||
allowedTags: sanitizeHtml.defaults.allowedTags.concat([ 'img' ]) | ||
}); | ||
``` | ||
@@ -56,16 +68,18 @@ If you do not specify `allowedTags` or `allowedAttributes` our default list is applied. So if you really want an empty list, specify one. | ||
allowedTags: [ 'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol', | ||
'nl', 'li', 'b', 'i', 'strong', 'em', 'strike', 'code', 'hr', 'br', 'div', | ||
'table', 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre' ], | ||
allowedAttributes: { | ||
a: [ 'href', 'name', 'target' ], | ||
// We don't currently allow img itself by default, but this | ||
// would make sense if we did | ||
img: [ 'src' ] | ||
}, | ||
// Lots of these won't come up by default because we don't allow them | ||
selfClosing: [ 'img', 'br', 'hr', 'area', 'base', 'basefont', 'input', 'link', 'meta' ], | ||
// URL schemes we permit | ||
allowedSchemes: [ 'http', 'https', 'ftp', 'mailto' ], | ||
allowedSchemesByTag: {} | ||
```js | ||
allowedTags: [ 'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol', | ||
'nl', 'li', 'b', 'i', 'strong', 'em', 'strike', 'code', 'hr', 'br', 'div', | ||
'table', 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre' ], | ||
allowedAttributes: { | ||
a: [ 'href', 'name', 'target' ], | ||
// We don't currently allow img itself by default, but this | ||
// would make sense if we did | ||
img: [ 'src' ] | ||
}, | ||
// Lots of these won't come up by default because we don't allow them | ||
selfClosing: [ 'img', 'br', 'hr', 'area', 'base', 'basefont', 'input', 'link', 'meta' ], | ||
// URL schemes we permit | ||
allowedSchemes: [ 'http', 'https', 'ftp', 'mailto' ], | ||
allowedSchemesByTag: {} | ||
``` | ||
@@ -77,4 +91,6 @@ #### "What if I want to allow all tags or all attributes?" | ||
allowedTags: false, | ||
allowedAttributes: false | ||
```js | ||
allowedTags: false, | ||
allowedAttributes: false | ||
``` | ||
@@ -85,4 +101,6 @@ #### "What if I don't want to allow *any* tags?" | ||
allowedTags: [], | ||
allowedAttributes: [] | ||
```js | ||
allowedTags: [], | ||
allowedAttributes: [] | ||
``` | ||
@@ -113,6 +131,6 @@ ### Wildcards for attributes | ||
clean = sanitizeHtml(dirty, { | ||
allowedTags: ['a'], | ||
parser: { | ||
lowerCaseTags: true | ||
} | ||
allowedTags: ['a'], | ||
parser: { | ||
lowerCaseTags: true | ||
} | ||
}); | ||
@@ -128,24 +146,28 @@ ``` | ||
clean = sanitizeHtml(dirty, { | ||
transformTags: { | ||
'ol': 'ul', | ||
} | ||
}); | ||
```js | ||
clean = sanitizeHtml(dirty, { | ||
transformTags: { | ||
'ol': 'ul', | ||
} | ||
}); | ||
``` | ||
The most advanced usage: | ||
clean = sanitizeHtml(dirty, { | ||
transformTags: { | ||
'ol': function(tagName, attribs) { | ||
// My own custom magic goes here | ||
```js | ||
clean = sanitizeHtml(dirty, { | ||
transformTags: { | ||
'ol': function(tagName, attribs) { | ||
// My own custom magic goes here | ||
return { | ||
tagName: 'ul', | ||
attribs: { | ||
class: 'foo' | ||
} | ||
}; | ||
} | ||
} | ||
}); | ||
return { | ||
tagName: 'ul', | ||
attribs: { | ||
class: 'foo' | ||
} | ||
}; | ||
} | ||
} | ||
}); | ||
``` | ||
@@ -156,11 +178,15 @@ You can specify the `*` wildcard instead of a tag name to transform all tags. | ||
clean = sanitizeHtml(dirty, { | ||
transformTags: { | ||
'ol': sanitizeHtml.simpleTransform('ul', {class: 'foo'}), | ||
} | ||
}); | ||
```js | ||
clean = sanitizeHtml(dirty, { | ||
transformTags: { | ||
'ol': sanitizeHtml.simpleTransform('ul', {class: 'foo'}), | ||
} | ||
}); | ||
``` | ||
The `simpleTransform` helper method has 3 parameters: | ||
simpleTransform(newTag, newAttributes, shouldMerge) | ||
```js | ||
simpleTransform(newTag, newAttributes, shouldMerge) | ||
``` | ||
@@ -181,8 +207,8 @@ The last parameter (`shouldMerge`) is set to `true` by default. When `true`, `simpleTransform` will merge the current attributes with the new ones (`newAttributes`). When `false`, all existing attributes are discarded. | ||
sanitizeHtml( | ||
'<p>This is <a href="http://www.linux.org"></a><br/>Linux</p>', | ||
{ | ||
exclusiveFilter: function(frame) { | ||
return frame.tag === 'a' && !frame.text.trim(); | ||
} | ||
'<p>This is <a href="http://www.linux.org"></a><br/>Linux</p>', | ||
{ | ||
exclusiveFilter: function(frame) { | ||
return frame.tag === 'a' && !frame.text.trim(); | ||
} | ||
} | ||
); | ||
@@ -208,8 +234,8 @@ ``` | ||
sanitizeHtml( | ||
'<p>some text...</p>', | ||
{ | ||
textFilter: function(text) { | ||
return text.replace(/\.\.\./, '…'); | ||
} | ||
'<p>some text...</p>', | ||
{ | ||
textFilter: function(text) { | ||
return text.replace(/\.\.\./, '…'); | ||
} | ||
} | ||
); | ||
@@ -240,3 +266,5 @@ ``` | ||
```js | ||
[ 'http', 'https', 'ftp', 'mailto' ] | ||
``` | ||
@@ -259,6 +287,6 @@ You can override this if you want to: | ||
```javascript | ||
allowedSchemes: [ 'http', 'https' ], | ||
allowedSchemesByTag: { | ||
img: [ 'data' ] | ||
} | ||
allowedSchemes: [ 'http', 'https' ], | ||
allowedSchemesByTag: { | ||
img: [ 'data' ] | ||
} | ||
``` | ||
@@ -277,3 +305,3 @@ | ||
```javascript | ||
nonTextTags: [ 'style', 'script', 'textarea', 'noscript' ] | ||
nonTextTags: [ 'style', 'script', 'textarea', 'noscript' ] | ||
``` | ||
@@ -285,2 +313,4 @@ | ||
1.11.2: fixed README typo that interfered with readability due to markdown issues. No code changes. Thanks to Mikael Korpela. Also improved code block highlighting in README. Thanks to Alex Siman. | ||
1.11.1: fixed a regression introduced in 1.11.0 which caused the closing tag of the parent of a `textarea` tag to be lost. Thanks to Stefano Sala, who contributed the missing test. | ||
@@ -294,3 +324,3 @@ | ||
1.9.0: `parser` option allows options to be passed directly to `htmlparser2. Thanks to Danny Scott. | ||
1.9.0: `parser` option allows options to be passed directly to `htmlparser`. Thanks to Danny Scott. | ||
@@ -382,1 +412,3 @@ 1.8.0: | ||
<a href="http://punkave.com/"><img src="https://raw.github.com/punkave/sanitize-html/master/logos/logo-box-builtby.png" /></a> | ||
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
51835
399