sanitize-html
Advanced tools
Comparing version 2.11.0 to 2.12.0
11
index.js
@@ -298,5 +298,7 @@ const htmlparser = require('htmlparser2'); | ||
} | ||
// If the value is empty, and this is a known non-boolean attribute, delete it | ||
// If the value is empty, check if the attribute is in the allowedEmptyAttributes array. | ||
// If it is not in the allowedEmptyAttributes array, and it is a known non-boolean attribute, delete it | ||
// List taken from https://html.spec.whatwg.org/multipage/indices.html#attributes-3 | ||
if (value === '' && (options.nonBooleanAttributes.includes(a) || options.nonBooleanAttributes.includes('*'))) { | ||
if (value === '' && (!options.allowedEmptyAttributes.includes(a)) && | ||
(options.nonBooleanAttributes.includes(a) || options.nonBooleanAttributes.includes('*'))) { | ||
delete frame.attribs[a]; | ||
@@ -478,2 +480,4 @@ return; | ||
result += '="' + escapeHtml(value, true) + '"'; | ||
} else if (options.allowedEmptyAttributes.includes(a)) { | ||
result += '=""'; | ||
} | ||
@@ -881,2 +885,5 @@ } else { | ||
}, | ||
allowedEmptyAttributes: [ | ||
'alt' | ||
], | ||
// Lots of these won't come up by default because we don't allow them | ||
@@ -883,0 +890,0 @@ selfClosing: [ 'img', 'br', 'hr', 'area', 'base', 'basefont', 'input', 'link', 'meta' ], |
{ | ||
"name": "sanitize-html", | ||
"version": "2.11.0", | ||
"version": "2.12.0", | ||
"description": "Clean up user-submitted HTML, preserving allowlisted elements and allowlisted attributes on a per-element basis", | ||
@@ -44,2 +44,2 @@ "sideEffects": false, | ||
} | ||
} | ||
} |
# sanitize-html | ||
[![CircleCI](https://circleci.com/gh/apostrophecms/sanitize-html/tree/main.svg?style=svg)](https://circleci.com/gh/apostrophecms/sanitize-html/tree/main) | ||
<a href="https://apostrophecms.com/"><img src="https://raw.githubusercontent.com/apostrophecms/sanitize-html/main/logos/logo-box-madefor.png" align="right" /></a> | ||
@@ -270,2 +268,17 @@ | ||
#### "What if I want to maintain the original case for SVG elements and attributes?" | ||
If you're incorporating SVG elements like `linearGradient` into your content and notice that they're not rendering as expected due to case sensitivity issues, it's essential to prevent `sanitize-html` from converting element and attribute names to lowercase. This situation often arises when SVGs fail to display correctly because their case-sensitive tags, such as `linearGradient` and attributes like `viewBox`, are inadvertently lowercased. | ||
To address this, ensure you set `lowerCaseTags: false` and `lowerCaseAttributeNames: false` in the parser options of your sanitize-html configuration. This adjustment stops the library from altering the case of your tags and attributes, preserving the integrity of your SVG content. | ||
```js | ||
allowedTags: [ 'svg', 'g', 'defs', 'linearGradient', 'stop', 'circle' ], | ||
allowedAttributes: false, | ||
parser: { | ||
lowerCaseTags: false, | ||
lowerCaseAttributeNames: false | ||
} | ||
``` | ||
### Wildcards for attributes | ||
@@ -272,0 +285,0 @@ |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
62705
841
743
1