sanitize-html - npm Package Compare versions

Comparing version 2.0.0-beta to 2.0.0-beta.2

CHANGELOG.md

 ## Changelog
 
+2.0.0-beta.2:
+- Add `files` to `package.json` to prevent publishing unnecessary files to npm #392. Thanks to [styfle](https://github.com/styfle) for the contribution.
+- Removes `iframe` and `nl` from default allowed tags. Adds most innocuous tags to the default `allowedTags` array.
+- Fixes a bug when using `transformTags` with out `textFilter`. Thanks to [Andrzej Porebski](https://github.com/andpor) for the help with a failing test.
+
 2.0.0-beta:
@@ -4,0 +9,0 @@ - Moves the `index.js` file to the project root and removes all build steps within the package. Going forward, it is up to the developer to include sanitize-html in their project builds as-needed. This removes major points of conflict with project code and frees this module to not worry about myriad build-related questions.

index.js

@@ -181,2 +181,3 @@ const htmlparser = require('htmlparser2');
   let skipTextDepth;
+  let addedText = false;
 
@@ -395,2 +396,3 @@ initializeState();
           result += escapeHtml(frame.innerText);
+          addedText = true;
         }
@@ -424,5 +426,5 @@ }
         const escaped = escapeHtml(text, false);
-        if (options.textFilter) {
+        if (options.textFilter && !addedText) {
           result += options.textFilter(escaped, tag);
-        } else {
+        } else if (!addedText) {
           result += escaped;
@@ -662,5 +664,22 @@ }
 sanitizeHtml.defaults = {
-  allowedTags: ['h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol',
-    'nl', 'li', 'b', 'i', 'strong', 'em', 'strike', 'abbr', 'code', 'hr', 'br', 'div',
-    'table', 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre', 'iframe'],
+  allowedTags: [
+    // Sections derived from MDN element categories and limited to the more
+    // benign categories.
+    // https://developer.mozilla.org/en-US/docs/Web/HTML/Element
+    // Content sectioning
+    'address', 'article', 'aside', 'footer', 'header',
+    'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hgroup',
+    'main', 'nav', 'section',
+    // Text content
+    'blockquote', 'dd', 'div', 'dl', 'dt', 'figcaption', 'figure',
+    'hr', 'li', 'main', 'ol', 'p', 'pre', 'ul',
+    // Inline text semantics
+    'a', 'abbr', 'b', 'bdi', 'bdo', 'br', 'cite', 'code', 'data', 'dfn',
+    'em', 'i', 'kbd', 'mark', 'q',
+    'rb', 'rp', 'rt', 'rtc', 'ruby',
+    's', 'samp', 'small', 'span', 'strong', 'sub', 'time', 'u', 'var', 'wbr',
+    // Table content
+    'caption', 'col', 'colgroup', 'table', 'tbody', 'td', 'tfoot', 'th',
+    'thead', 'tr'
+  ],
   disallowedTagsMode: 'discard',
@@ -667,0 +686,0 @@ allowedAttributes: {

package.json

 {
   "name": "sanitize-html",
-  "version": "2.0.0-beta",
+  "version": "2.0.0-beta.2",
   "description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis",
   "sideEffects": false,
   "main": "index.js",
+  "files": [
+    "index.js"
+  ],
   "scripts": {
@@ -8,0 +11,0 @@ "test": "npx eslint . && mocha test/test.js"

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Major refactor

Supply chain risk

Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.

Found 1 instance in 1 package

Improved metrics

Number of medium supply chain risk alerts

0

decreased by-100%

Worsened metrics

Total package byte prevSize

62252

decreased by-45.87%

Number of package files

5

decreased by-58.33%

Lines of code

661

decreased by-62.8%

No dependency changes