sanitize-html
Advanced tools
Comparing version 1.3.0 to 1.4.1
40
index.js
@@ -37,6 +37,9 @@ var htmlparser = require('htmlparser2'); | ||
}; | ||
var allowedTagsMap = {}; | ||
_.each(options.allowedTags, function(tag) { | ||
allowedTagsMap[tag] = true; | ||
}); | ||
var allowedTagsMap; | ||
if(options.allowedTags) { | ||
allowedTagsMap = {}; | ||
_.each(options.allowedTags, function(tag) { | ||
allowedTagsMap[tag] = true; | ||
}); | ||
} | ||
var selfClosingMap = {}; | ||
@@ -46,16 +49,21 @@ _.each(options.selfClosing, function(tag) { | ||
}); | ||
var allowedAttributesMap = {}; | ||
_.each(options.allowedAttributes, function(attributes, tag) { | ||
allowedAttributesMap[tag] = {}; | ||
_.each(attributes, function(name) { | ||
allowedAttributesMap[tag][name] = true; | ||
var allowedAttributesMap; | ||
if(options.allowedAttributes) { | ||
allowedAttributesMap = {}; | ||
_.each(options.allowedAttributes, function(attributes, tag) { | ||
allowedAttributesMap[tag] = {}; | ||
_.each(attributes, function(name) { | ||
allowedAttributesMap[tag][name] = true; | ||
}); | ||
}); | ||
}); | ||
} | ||
var allowedClassesMap = {}; | ||
_.each(options.allowedClasses, function(classes, tag) { | ||
// Implicitly allows the class attribute | ||
if (!allowedAttributesMap[tag]) { | ||
allowedAttributesMap[tag] = {}; | ||
if(allowedAttributesMap) { | ||
if (!allowedAttributesMap[tag]) { | ||
allowedAttributesMap[tag] = {}; | ||
} | ||
allowedAttributesMap[tag]['class'] = true; | ||
} | ||
allowedAttributesMap[tag]['class'] = true; | ||
@@ -98,3 +106,3 @@ allowedClassesMap[tag] = {}; | ||
if (!_.has(allowedTagsMap, name)) { | ||
if (allowedTagsMap && !_.has(allowedTagsMap, name)) { | ||
skip = true; | ||
@@ -112,5 +120,5 @@ if (_.has(nonTextTagsMap, name)) { | ||
result += '<' + name; | ||
if (_.has(allowedAttributesMap, name)) { | ||
if (!allowedAttributesMap || _.has(allowedAttributesMap, name)) { | ||
_.each(attribs, function(value, a) { | ||
if (_.has(allowedAttributesMap[name], a)) { | ||
if (!allowedAttributesMap || _.has(allowedAttributesMap[name], a)) { | ||
if ((a === 'href') || (a === 'src')) { | ||
@@ -117,0 +125,0 @@ if (naughtyHref(value)) { |
{ | ||
"name": "sanitize-html", | ||
"version": "1.3.0", | ||
"version": "1.4.1", | ||
"description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis", | ||
@@ -5,0 +5,0 @@ "main": "index.js", |
@@ -66,2 +66,11 @@ # sanitize-html | ||
"What if I want to allow all tags or all attributes?" | ||
Simple! instead of leaving `allowedTags` or `allowedAttributes` out of the options, set either | ||
one or both to `false`: | ||
allowedTags: false, | ||
allowedAttributes: false | ||
### Transformations | ||
@@ -175,2 +184,4 @@ | ||
1.4.0: ability to allow all attributes or tags through by setting `allowedAttributes` and/or `allowedTags` to false. Thanks to Anand Thakker. | ||
1.3.0: `attribs` now available on frames passed to exclusive filter. | ||
@@ -229,2 +240,1 @@ | ||
<a href="http://punkave.com/"><img src="https://raw.github.com/punkave/sanitize-html/master/logos/logo-box-builtby.png" /></a> | ||
@@ -10,2 +10,8 @@ var assert = require("assert"); | ||
}); | ||
it('should pass through all markup if allowedTags and allowedAttributes are set to false', function() { | ||
assert.equal(sanitizeHtml('<div><wiggly worms="ewww">hello</wiggly></div>', { | ||
allowedTags: false, | ||
allowedAttributes: false | ||
}), '<div><wiggly worms="ewww">hello</wiggly></div>'); | ||
}); | ||
it('should respect text nodes at top level', function() { | ||
@@ -226,2 +232,1 @@ assert.equal(sanitizeHtml('Blah blah blah<p>Whee!</p>'), 'Blah blah blah<p>Whee!</p>'); | ||
}); | ||
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
35487
488
238