sanitize-html - npm Package Compare versions

Comparing version 1.6.1 to 1.7.0

index.js

		@@ -134,3 +134,3 @@ var htmlparser = require('htmlparser2');
		if ((a === 'href') \|\| (a === 'src')) {
		if (naughtyHref(value)) {
		if (naughtyHref(name, value)) {
		delete frame.attribs[a];
		@@ -229,3 +229,3 @@ return;

		function naughtyHref(href) {
		function naughtyHref(name, href) {
		// Browsers ignore character codes of 32 (space) and below in a surprising
		@@ -246,3 +246,8 @@ // number of situations. Start reading here:
		var scheme = matches[1].toLowerCase();
		return (!_.contains(options.allowedSchemes, scheme));

		if (_.has(options.allowedSchemesByTag, name)) {
		return !_.contains(options.allowedSchemesByTag[name], scheme);
		}

		return !_.contains(options.allowedSchemes, scheme);
		}
		@@ -276,3 +281,4 @@
		// URL schemes we permit
		allowedSchemes: [ 'http', 'https', 'ftp', 'mailto' ]
		allowedSchemes: [ 'http', 'https', 'ftp', 'mailto' ],
		allowedSchemesByTag: {}
		};
		@@ -279,0 +285,0 @@

package.json

		{
		"name": "sanitize-html",
		"version": "1.6.1",
		"version": "1.7.0",
		"description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis",
		@@ -5,0 +5,0 @@ "main": "index.js",

README.md

		@@ -64,3 +64,8 @@ # sanitize-html
		// URL schemes we permit
		allowedSchemes: [ 'http', 'https', 'ftp', 'mailto' ]
		allowedSchemes: [ 'http', 'https', 'ftp', 'mailto' ],
		// Be more specific about allowed schemes
		// for a certain tag
		allowedSchemesByTag: {
		img: [ 'http' ]
		}

		@@ -212,4 +217,15 @@ "What if I want to allow all tags or all attributes?"

		You can also allow a scheme for a particular tag only:

		```javascript
		allowedSchemes: [ 'http', 'https' ],
		allowedSchemesByTag: {
		img: [ 'data' ]
		}
		```

		## Changelog

		1.7.0: introduced `allowedSchemesByTag` option. Thanks to Cameron Will.

		1.6.1: the string `'undefined'` (as opposed to `undefined`) is perfectly valid text and shouldn't be expressly converted to the empty string.
		@@ -216,0 +232,0 @@

test/test.js

		@@ -195,2 +195,34 @@ var assert = require("assert");
		});
		it('should allow defining schemes on a per-tag basis', function() {
		assert.equal(
		sanitizeHtml(
		// teeny-tiny valid transparent GIF in a data URL
		'<img src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" /><a href="https://www.example.com"></a>',
		{
		allowedTags: ['img', 'a'],
		allowedSchemes: ['http'],
		allowedSchemesByTag: {
		img: ['data'],
		a: ['https']
		}
		}
		),
		'<img src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" /><a href="https://www.example.com"></a>'
		);
		assert.equal(
		sanitizeHtml(
		// teeny-tiny valid transparent GIF in a data URL
		'<img src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" /><a href="https://www.example.com"></a>',
		{
		allowedTags: ['img', 'a'],
		allowedSchemes: ['http'],
		allowedSchemesByTag: {
		img: [],
		a: ['https']
		}
		}
		),
		'<img /><a href="https://www.example.com"></a>'
		);
		});
		it('should not act weird when the class attribute is empty', function() {
		@@ -197,0 +229,0 @@ assert.equal(

New alerts