sanitize-html
Advanced tools
Comparing version 1.6.1 to 1.7.0
14
index.js
@@ -134,3 +134,3 @@ var htmlparser = require('htmlparser2'); | ||
if ((a === 'href') || (a === 'src')) { | ||
if (naughtyHref(value)) { | ||
if (naughtyHref(name, value)) { | ||
delete frame.attribs[a]; | ||
@@ -229,3 +229,3 @@ return; | ||
function naughtyHref(href) { | ||
function naughtyHref(name, href) { | ||
// Browsers ignore character codes of 32 (space) and below in a surprising | ||
@@ -246,3 +246,8 @@ // number of situations. Start reading here: | ||
var scheme = matches[1].toLowerCase(); | ||
return (!_.contains(options.allowedSchemes, scheme)); | ||
if (_.has(options.allowedSchemesByTag, name)) { | ||
return !_.contains(options.allowedSchemesByTag[name], scheme); | ||
} | ||
return !_.contains(options.allowedSchemes, scheme); | ||
} | ||
@@ -276,3 +281,4 @@ | ||
// URL schemes we permit | ||
allowedSchemes: [ 'http', 'https', 'ftp', 'mailto' ] | ||
allowedSchemes: [ 'http', 'https', 'ftp', 'mailto' ], | ||
allowedSchemesByTag: {} | ||
}; | ||
@@ -279,0 +285,0 @@ |
{ | ||
"name": "sanitize-html", | ||
"version": "1.6.1", | ||
"version": "1.7.0", | ||
"description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis", | ||
@@ -5,0 +5,0 @@ "main": "index.js", |
@@ -64,3 +64,8 @@ # sanitize-html | ||
// URL schemes we permit | ||
allowedSchemes: [ 'http', 'https', 'ftp', 'mailto' ] | ||
allowedSchemes: [ 'http', 'https', 'ftp', 'mailto' ], | ||
// Be more specific about allowed schemes | ||
// for a certain tag | ||
allowedSchemesByTag: { | ||
img: [ 'http' ] | ||
} | ||
@@ -212,4 +217,15 @@ "What if I want to allow all tags or all attributes?" | ||
You can also allow a scheme for a particular tag only: | ||
```javascript | ||
allowedSchemes: [ 'http', 'https' ], | ||
allowedSchemesByTag: { | ||
img: [ 'data' ] | ||
} | ||
``` | ||
## Changelog | ||
1.7.0: introduced `allowedSchemesByTag` option. Thanks to Cameron Will. | ||
1.6.1: the string `'undefined'` (as opposed to `undefined`) is perfectly valid text and shouldn't be expressly converted to the empty string. | ||
@@ -216,0 +232,0 @@ |
@@ -195,2 +195,34 @@ var assert = require("assert"); | ||
}); | ||
it('should allow defining schemes on a per-tag basis', function() { | ||
assert.equal( | ||
sanitizeHtml( | ||
// teeny-tiny valid transparent GIF in a data URL | ||
'<img src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" /><a href="https://www.example.com"></a>', | ||
{ | ||
allowedTags: ['img', 'a'], | ||
allowedSchemes: ['http'], | ||
allowedSchemesByTag: { | ||
img: ['data'], | ||
a: ['https'] | ||
} | ||
} | ||
), | ||
'<img src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" /><a href="https://www.example.com"></a>' | ||
); | ||
assert.equal( | ||
sanitizeHtml( | ||
// teeny-tiny valid transparent GIF in a data URL | ||
'<img src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" /><a href="https://www.example.com"></a>', | ||
{ | ||
allowedTags: ['img', 'a'], | ||
allowedSchemes: ['http'], | ||
allowedSchemesByTag: { | ||
img: [], | ||
a: ['https'] | ||
} | ||
} | ||
), | ||
'<img /><a href="https://www.example.com"></a>' | ||
); | ||
}); | ||
it('should not act weird when the class attribute is empty', function() { | ||
@@ -197,0 +229,0 @@ assert.equal( |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
43391
649
300