sanitize-html - npm Package Compare versions

Comparing version 2.12.1 to 2.13.0

index.js

		@@ -265,3 +265,3 @@ const htmlparser = require('htmlparser2');
		skipMap[depth] = true;
		if (options.disallowedTagsMode === 'discard') {
		if (options.disallowedTagsMode === 'discard' \|\| options.disallowedTagsMode === 'completelyDiscard') {
		if (nonTextTagsArray.indexOf(name) !== -1) {
		@@ -276,3 +276,3 @@ skipText = true;
		if (skip) {
		if (options.disallowedTagsMode === 'discard') {
		if (options.disallowedTagsMode === 'discard' \|\| options.disallowedTagsMode === 'completelyDiscard') {
		// We want the contents but not this tag
		@@ -516,3 +516,5 @@ return;

		if (options.disallowedTagsMode === 'discard' && ((tag === 'script') \|\| (tag === 'style'))) {
		if (options.disallowedTagsMode === 'completelyDiscard' && !tagAllowed(tag)) {
		text = '';
		} else if ((options.disallowedTagsMode === 'discard' \|\| options.disallowedTagsMode === 'completelyDiscard') && ((tag === 'script') \|\| (tag === 'style'))) {
		// htmlparser2 gives us these as-is. Escaping them ruins the content. Allowing
		@@ -565,3 +567,3 @@ // script tags is, by definition, game over for XSS protection, so if that's
		delete skipMap[depth];
		if (options.disallowedTagsMode === 'discard') {
		if (options.disallowedTagsMode === 'discard' \|\| options.disallowedTagsMode === 'completelyDiscard') {
		frame.updateParentNodeText();
		@@ -568,0 +570,0 @@ return;

package.json

		{
		"name": "sanitize-html",
		"version": "2.12.1",
		"version": "2.13.0",
		"description": "Clean up user-submitted HTML, preserving allowlisted elements and allowlisted attributes on a per-element basis",
		@@ -5,0 +5,0 @@ "sideEffects": false,

README.md

		@@ -43,2 +43,4 @@ # sanitize-html

		When using TypeScript, there is a minimum supported version of >=4.5 because of a dependency on the `htmlparser2` types.

		Any questions or problems while using `@types/sanitize-html` should be directed to its maintainers as directed by that project's contribution guidelines.
		@@ -247,2 +249,4 @@

		If you set `disallowedTagsMode` to `completelyDiscard`, disallowed tags and any content they contain are discarded. Any subtags are still included, as long as those individual subtags are allowed.

		If you set `disallowedTagsMode` to `escape`, the disallowed tags are escaped rather than discarded. Any text or subtags are handled normally.
		@@ -708,4 +712,33 @@

		Valid values are: `'discard'` (default), `'escape'` (escape the tag) and `'recursiveEscape'` (to escape the tag and all its content).
		Valid values are: `'discard'` (default), `'completelyDiscard'` (remove disallowed tag's content), `'escape'` (escape the tag) and `'recursiveEscape'` (to escape the tag and all its content).

		#### Discard disallowed but but the inner content of disallowed tags is kept.

		If you set `disallowedTagsMode` to `discard`, disallowed tags are discarded but but the inner content of disallowed tags is kept.

		```js
		disallowedTagsMode: 'discard'
		```
		This will transform `<disallowed>content</disallowed>` to `content`

		#### Discard entire content of a disallowed tag

		If you set `disallowedTagsMode` to `completelyDiscard`, disallowed tags and any content they contain are discarded. Any subtags are still included, as long as those individual subtags are allowed.

		```js
		disallowedTagsMode: 'completelyDiscard'
		```

		This will transform `<disallowed>content <allowed>content</allowed> </disallowed>` to `<allowed>content</allowed>`

		#### Escape the disallowed tag and all its children even for allowed tags.

		if you set `disallowedTagsMode` to `recursiveEscape`, disallowed tag and its children will be escaped even for allowed tags

		```js
		disallowedTagsMode: `recursiveEscape`
		```

		This will transform `<disallowed>hello<p>world</p></disallowed>` to `<disallowed>hello<p>world</p></disallowed>`

		### Ignore style attribute contents
		@@ -712,0 +745,0 @@

sanitize-html - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics