sanitize-html - npm Package Compare versions

Comparing version 1.7.0 to 1.7.1

index.js

 var htmlparser = require('htmlparser2');
-var _ = require('lodash');
+var extend = require('xtend');
 var quoteRegexp = require('regexp-quote');
+require('array-includes').shim(); // Array.prototype.includes polyfill
 
+function each(obj, cb) {
+  obj && Object.keys(obj).forEach(function (key) {
+    cb(obj[key], key)
+  })
+}
+
 module.exports = sanitizeHtml;
@@ -32,3 +39,3 @@
   } else {
-    _.defaults(options, sanitizeHtml.defaults);
+    options = extend(sanitizeHtml.defaults, options);
   }
@@ -38,17 +45,3 @@ // Tags that contain something other than HTML. If we are not allowing
   // drop the tag but keep its content.
-  var nonTextTagsMap = {
-    script: true,
-    style: true
-  };
-  var allowedTagsMap;
-  if(options.allowedTags) {
-    allowedTagsMap = {};
-    _.each(options.allowedTags, function(tag) {
-      allowedTagsMap[tag] = true;
-    });
-  }
-  var selfClosingMap = {};
-  _.each(options.selfClosing, function(tag) {
-    selfClosingMap[tag] = true;
-  });
+  var nonTextTagsArray = [ 'script', 'style' ];
   var allowedAttributesMap;
@@ -59,10 +52,10 @@ var allowedAttributesGlobMap;
     allowedAttributesGlobMap = {};
-    _.each(options.allowedAttributes, function(attributes, tag) {
-      allowedAttributesMap[tag] = {};
+    each(options.allowedAttributes, function(attributes, tag) {
+      allowedAttributesMap[tag] = [];
       var globRegex = [];
-      _.each(attributes, function(name) {
+      attributes.forEach(function(name) {
         if(name.indexOf('*') >= 0) {
           globRegex.push(quoteRegexp(name).replace(/\\\*/g, '.*'));
         } else {
-          allowedAttributesMap[tag][name] = true;
+          allowedAttributesMap[tag].push(name);
         }
@@ -74,19 +67,16 @@ });
   var allowedClassesMap = {};
-  _.each(options.allowedClasses, function(classes, tag) {
+  each(options.allowedClasses, function(classes, tag) {
     // Implicitly allows the class attribute
     if(allowedAttributesMap) {
       if (!allowedAttributesMap[tag]) {
-        allowedAttributesMap[tag] = {};
+        allowedAttributesMap[tag] = [];
       }
-      allowedAttributesMap[tag]['class'] = true;
+      allowedAttributesMap[tag].push('class');
     }
 
-    allowedClassesMap[tag] = {};
-    _.each(classes, function(name) {
-      allowedClassesMap[tag][name] = true;
-    });
+    allowedClassesMap[tag] = classes;
   });
 
   var transformTagsMap = {};
-  _.each(options.transformTags, function(transform, tag){
+  each(options.transformTags, function(transform, tag){
     if (typeof transform === 'function') {
@@ -110,3 +100,3 @@ transformTagsMap[tag] = transform;
       var skip = false;
-      if (_.has(transformTagsMap, name)) {
+      if (transformTagsMap[name]) {
         var transformedTag = transformTagsMap[name](name, attribs);
@@ -121,5 +111,5 @@
 
-      if (allowedTagsMap && !_.has(allowedTagsMap, name)) {
+      if (options.allowedTags && !options.allowedTags.includes(name)) {
         skip = true;
-        if (_.has(nonTextTagsMap, name)) {
+        if (nonTextTagsArray.includes(name)) {
           skipText = true;
@@ -135,6 +125,6 @@ }
       result += '<' + name;
-      if (!allowedAttributesMap || _.has(allowedAttributesMap, name)) {
-        _.each(attribs, function(value, a) {
-          if (!allowedAttributesMap || _.has(allowedAttributesMap[name], a) || (_.has(allowedAttributesGlobMap, name) &&
-              allowedAttributesGlobMap[name].test(a))) {
+      if (!allowedAttributesMap || allowedAttributesMap[name]) {
+        each(attribs, function(value, a) {
+          if (!allowedAttributesMap || allowedAttributesMap[name].includes(a) ||
+              (allowedAttributesGlobMap[name] && allowedAttributesGlobMap[name].test(a))) {
             if ((a === 'href') || (a === 'src')) {
@@ -162,3 +152,3 @@ if (naughtyHref(name, value)) {
       }
-      if (_.has(selfClosingMap, name)) {
+      if (options.selfClosing.includes(name)) {
         result += " />";
@@ -174,3 +164,3 @@ } else {
       var tag = stack[stack.length-1] && stack[stack.length-1].tag;
-      if (_.has(nonTextTagsMap, tag)) {
+      if (nonTextTagsArray.includes(tag)) {
         result += text;
@@ -216,3 +206,3 @@ } else {
 
-      if (_.has(selfClosingMap, name)) {
+      if (options.selfClosing.includes(name)) {
          // Already output />
@@ -255,7 +245,7 @@ return;
 
-    if (_.has(options.allowedSchemesByTag, name)) {
-      return !_.contains(options.allowedSchemesByTag[name], scheme);
+    if (options.allowedSchemesByTag[name]) {
+      return !options.allowedSchemesByTag[name].includes(scheme);
     }
 
-    return !_.contains(options.allowedSchemes, scheme);
+    return !options.allowedSchemes || !options.allowedSchemes.includes(scheme);
   }
@@ -269,4 +259,4 @@
     classes = classes.split(/\s+/);
-    return _.filter(classes, function(c) {
-      return _.has(allowed, c);
+    return classes.filter(function(clss) {
+      return allowed.includes(clss);
     }).join(' ');
@@ -273,0 +263,0 @@ }

package.json

 {
   "name": "sanitize-html",
-  "version": "1.7.0",
+  "version": "1.7.1",
   "description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis",
@@ -24,6 +24,7 @@ "main": "index.js",
   "dependencies": {
+    "array-includes": "^2.0.0",
     "htmlparser2": "3.8.x",
-    "lodash": "2.4.x",
-    "regexp-quote": "0.0.0"
+    "regexp-quote": "0.0.0",
+    "xtend": "^4.0.0"
   }
 }

README.md

@@ -227,2 +227,4 @@ # sanitize-html
 
+1.7.1: removed lodash dependency, adding lighter dependencies and polyfills in its place. Thanks to Joseph Dykstra.
+
 1.7.0: introduced `allowedSchemesByTag` option. Thanks to Cameron Will.
@@ -229,0 +231,0 @@

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Number of lines in readme file

302

increased by0.67%

Worsened metrics

Total package byte prevSize

43370

decreased by-0.05%

Dependency count

4

increased by33.33%

Lines of code

638

decreased by-1.69%

Dependency changes

• + Addedarray-includes@^2.0.0

• + Addedxtend@^4.0.0

• + Addedarray-buffer-byte-length@1.0.1(transitive)

• + Addedarray-includes@2.0.0(transitive)

• + Addedarraybuffer.prototype.slice@1.0.3(transitive)

• + Addedavailable-typed-arrays@1.0.7(transitive)

• + Addedcall-bind@1.0.7(transitive)

• + Addeddata-view-buffer@1.0.1(transitive)

• + Addeddata-view-byte-length@1.0.1(transitive)

• + Addeddata-view-byte-offset@1.0.0(transitive)

• + Addeddefine-data-property@1.1.4(transitive)

• + Addeddefine-properties@1.2.1(transitive)

• + Addedes-abstract@1.23.3(transitive)

• + Addedes-define-property@1.0.0(transitive)

• + Addedes-errors@1.3.0(transitive)

• + Addedes-object-atoms@1.0.0(transitive)

• + Addedes-set-tostringtag@2.0.3(transitive)

• + Addedes-to-primitive@1.2.1(transitive)

• + Addedfor-each@0.3.3(transitive)

• + Addedfunction-bind@1.1.2(transitive)

• + Addedfunction.prototype.name@1.1.6(transitive)

• + Addedfunctions-have-names@1.2.3(transitive)

• + Addedget-intrinsic@1.2.4(transitive)

• + Addedget-symbol-description@1.0.2(transitive)

• + Addedglobalthis@1.0.4(transitive)

• + Addedgopd@1.0.1(transitive)

• + Addedhas-bigints@1.0.2(transitive)

• + Addedhas-property-descriptors@1.0.2(transitive)

• + Addedhas-proto@1.0.3(transitive)

• + Addedhas-symbols@1.0.3(transitive)

• + Addedhas-tostringtag@1.0.2(transitive)

• + Addedhasown@2.0.2(transitive)

• + Addedinternal-slot@1.0.7(transitive)

• + Addedis-array-buffer@3.0.4(transitive)

• + Addedis-bigint@1.0.4(transitive)

• + Addedis-boolean-object@1.1.2(transitive)

• + Addedis-callable@1.2.7(transitive)

• + Addedis-data-view@1.0.1(transitive)

• + Addedis-date-object@1.0.5(transitive)

• + Addedis-negative-zero@2.0.3(transitive)

• + Addedis-number-object@1.0.7(transitive)

• + Addedis-regex@1.1.4(transitive)

• + Addedis-shared-array-buffer@1.0.3(transitive)

• + Addedis-string@1.0.7(transitive)

• + Addedis-symbol@1.0.4(transitive)

• + Addedis-typed-array@1.1.13(transitive)

• + Addedis-weakref@1.0.2(transitive)

• + Addedisarray@2.0.5(transitive)

• + Addedobject-inspect@1.13.3(transitive)

• + Addedobject-keys@1.1.1(transitive)

• + Addedobject.assign@4.1.5(transitive)

• + Addedpossible-typed-array-names@1.0.0(transitive)

• + Addedregexp.prototype.flags@1.5.3(transitive)

• + Addedsafe-array-concat@1.1.2(transitive)

• + Addedsafe-regex-test@1.0.3(transitive)

• + Addedset-function-length@1.2.2(transitive)

• + Addedset-function-name@2.0.2(transitive)

• + Addedside-channel@1.0.6(transitive)

• + Addedstring.prototype.trim@1.2.9(transitive)

• + Addedstring.prototype.trimend@1.0.8(transitive)

• + Addedstring.prototype.trimstart@1.0.8(transitive)

• + Addedtyped-array-buffer@1.0.2(transitive)

• + Addedtyped-array-byte-length@1.0.1(transitive)

• + Addedtyped-array-byte-offset@1.0.2(transitive)

• + Addedtyped-array-length@1.0.6(transitive)

• + Addedunbox-primitive@1.0.2(transitive)

• + Addedwhich-boxed-primitive@1.0.2(transitive)

• + Addedwhich-typed-array@1.1.15(transitive)

• + Addedxtend@4.0.2(transitive)

• - Removedlodash@2.4.x

• - Removedlodash@2.4.2(transitive)