sanitize-html - npm Package Compare versions

Comparing version 1.7.2 to 1.8.0

index.js

		@@ -40,6 +40,7 @@ var htmlparser = require('htmlparser2');
		}
		// Tags that contain something other than HTML. If we are not allowing
		// these tags, we should drop their content too. For other tags you would
		// drop the tag but keep its content.
		var nonTextTagsArray = [ 'script', 'style' ];
		// Tags that contain something other than HTML, or where discarding
		// the text when the tag is disallowed makes sense for other reasons.
		// If we are not allowing these tags, we should drop their content too.
		// For other tags you would drop the tag but keep its content.
		var nonTextTagsArray = [ 'script', 'style', 'textarea' ];
		var allowedAttributesMap;
		@@ -77,8 +78,15 @@ var allowedAttributesGlobMap;
		var transformTagsMap = {};
		each(options.transformTags, function(transform, tag){
		var transformTagsAll;
		each(options.transformTags, function(transform, tag) {
		var transFun;
		if (typeof transform === 'function') {
		transformTagsMap[tag] = transform;
		transFun = transform;
		} else if (typeof transform === "string") {
		transformTagsMap[tag] = sanitizeHtml.simpleTransform(transform);
		transFun = sanitizeHtml.simpleTransform(transform);
		}
		if (tag === '*') {
		transformTagsAll = transFun;
		} else {
		transformTagsMap[tag] = transFun;
		}
		});
		@@ -97,6 +105,12 @@
		var skip = false;
		var transformedTag;
		if (transformTagsMap[name]) {
		var transformedTag = transformTagsMap[name](name, attribs);
		transformedTag = transformTagsMap[name](name, attribs);

		frame.attribs = attribs = transformedTag.attribs;

		if (transformedTag.text !== undefined) {
		frame.innerText = transformedTag.text;
		}

		if (name !== transformedTag.tagName) {
		@@ -107,3 +121,12 @@ frame.name = name = transformedTag.tagName;
		}
		if (transformTagsAll) {
		transformedTag = transformTagsAll(name, attribs);

		frame.attribs = attribs = transformedTag.attribs;
		if (name !== transformedTag.tagName) {
		frame.name = name = transformedTag.tagName;
		transformMap[depth] = transformedTag.tagName;
		}
		}

		if (options.allowedTags && options.allowedTags.indexOf(name) === -1) {
		@@ -158,3 +181,11 @@ skip = true;
		}
		var tag = stack[stack.length-1] && stack[stack.length-1].tag;
		var lastFrame = stack[stack.length-1];
		var tag;

		if (lastFrame) {
		tag = lastFrame.tag;
		// If inner text was set by transform function then let's use it
		text = lastFrame.innerText !== undefined ? lastFrame.innerText : text;
		}

		if (nonTextTagsArray.indexOf(tag) !== -1) {
		@@ -161,0 +192,0 @@ result += text;

package.json

		{
		"name": "sanitize-html",
		"version": "1.7.2",
		"version": "1.8.0",
		"description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis",
		@@ -5,0 +5,0 @@ "main": "index.js",

README.md

		@@ -118,2 +118,4 @@ # sanitize-html

		You can specify the `*` wildcard instead of a tag name to transform all tags.

		There is also a helper method which should be enough for simple cases in which you want to change the tag and/or add some attributes:
		@@ -228,2 +230,10 @@

		1.8.0:

		* `transformTags` now accepts the `*` wildcard to transform all tags. Thanks to Jamy Timmermans.

		* Text that has been modified by `transformTags` is then passed through `textFilter`. Thanks to Pavlo Yurichuk.

		* Content inside `textarea` is discarded if `textarea` is not allowed. I don't know why it took me this long to see that this is just common sense. Thanks to David Frank.

		1.7.2: removed `array-includes` dependency in favor of `indexOf`, which is a little more verbose but slightly faster and doesn't require a shim. Thanks again to Joseph Dykstra.
		@@ -230,0 +240,0 @@

test/test.js

		@@ -46,2 +46,10 @@ var assert = require("assert");
		});
		it('should drop the content of textarea elements', function() {
		assert.equal(sanitizeHtml('<textarea>Nifty</textarea><p>Paragraph</p>'), '<p>Paragraph</p>');
		});
		it('should preserve textarea content if textareas are allowed', function() {
		assert.equal(sanitizeHtml('<textarea>Nifty</textarea><p>Paragraph</p>', {
		allowedTags: [ 'textarea', 'p' ]
		}), '<textarea>Nifty</textarea><p>Paragraph</p>');
		});
		it('should preserve entities as such', function() {
		@@ -104,2 +112,23 @@ assert.equal(sanitizeHtml('<a name="<silly>"><Kapow!></a>'), '<a name="<silly>"><Kapow!></a>');

		it('should replace text and attributes when they are changed by transforming function', function () {
		assert.equal(sanitizeHtml('<a href="http://somelink">some text</a>', { transformTags: {a: function (tagName, attribs) {
		return {
		tagName: tagName,
		attribs: attribs,
		text: ''
		}
		}}}), '<a href="http://somelink"></a>');
		});
		it('should replace text and attributes when they are changed by transforming function and textFilter is set', function () {
		assert.equal(sanitizeHtml('<a href="http://somelink">some text</a>', { transformTags: {a: function (tagName, attribs) {
		return {
		tagName: tagName,
		attribs: attribs,
		text: 'some text need"to<be>filtered'
		}
		}}, textFilter: function (text) {
		return text.replace(/\s/g, '_');
		}}), '<a href="http://somelink">some_text_need"to<be>filtered</a>');
		});

		it('should skip an empty link', function() {
		@@ -324,2 +353,24 @@ assert.strictEqual(
		});
		it('should allow transform on all tags using \'*\'', function () {
		assert.equal(
		sanitizeHtml(
		'<p>Text</p>',
		{
		allowedTags: [ 'p' ],
		allowedAttributes: {p: ['style']},
		transformTags: {
		'*': function (tagName, attribs) {
		return {
		tagName: tagName,
		attribs: {
		style: 'text-align: center;'
		}
		};
		}
		}
		}
		),
		'<p style="text-align: center;">Text</p>'
		);
		});
		it('should not be faked out by double <', function() {
		@@ -326,0 +377,0 @@ assert.equal(

sanitize-html - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics