You're Invited:Meet the Socket Team at RSAC and BSidesSF 2026, March 23–26.RSVP
Socket
Book a DemoSign in
Socket
Book a DemoSign in

sanitize-html

Package Overview
Dependencies
Maintainers
16
Versions
120
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

sanitize-html - npm Package Compare versions

Comparing version
2.14.0
 to
2.15.0
+22
-9
index.js

@@ -100,2 +100,3 @@ const htmlparser = require('htmlparser2');

this.text = ''; // Node inner text
this.openingTagLength = 0;
this.mediaChildren = [];

@@ -272,3 +273,2 @@

}
skipMap[depth] = true;
}

@@ -284,3 +284,3 @@ depth++;

} else {
result += escapeHtml(frame.innerText);
result += escaped;
}

@@ -513,2 +513,3 @@ addedText = true;

}
frame.openingTagLength = result.length - frame.tagPosition;
},

@@ -536,7 +537,7 @@ ontext: function(text) {

result += text;
} else {
} else if (!addedText) {
const escaped = escapeHtml(text, false);
if (options.textFilter && !addedText) {
if (options.textFilter) {
result += options.textFilter(escaped, tag);
} else if (!addedText) {
} else {
result += escaped;

@@ -592,5 +593,17 @@ }

if (options.exclusiveFilter && options.exclusiveFilter(frame)) {
result = result.substr(0, frame.tagPosition);
return;
if (options.exclusiveFilter) {
const filterResult = options.exclusiveFilter(frame);
if (filterResult === 'excludeTag') {
if (skip) {
// no longer escaping the tag since it's not added at all
result = tempResult;
tempResult = '';
}
// remove the opening tag from the result
result = result.substring(0, frame.tagPosition) + result.substring(frame.tagPosition + frame.openingTagLength);
return;
} else if (filterResult) {
result = result.substring(0, frame.tagPosition);
return;
}
}

@@ -841,3 +854,3 @@

'blockquote', 'dd', 'div', 'dl', 'dt', 'figcaption', 'figure',
'hr', 'li', 'main', 'ol', 'p', 'pre', 'ul',
'hr', 'li', 'menu', 'ol', 'p', 'pre', 'ul',
// Inline text semantics

@@ -844,0 +857,0 @@ 'a', 'abbr', 'b', 'bdi', 'bdo', 'br', 'cite', 'code', 'data', 'dfn',

+1
-1
package.json
{
"name": "sanitize-html",
"version": "2.14.0",
"version": "2.15.0",
"description": "Clean up user-submitted HTML, preserving allowlisted elements and allowlisted attributes on a per-element basis",

@@ -5,0 +5,0 @@ "sideEffects": false,

+18
-3
README.md

@@ -497,2 +497,17 @@ # sanitize-html

The filter function can also return the string `"excludeTag"` to only remove the tag, while keeping its content. For example, you can remove tags for anchors with invalid links:
```js
sanitizeHtml(
'This is a <a href="javascript:alert(123)">bad link</a> and a <a href="https://www.linux.org">good link</a>',
{
exclusiveFilter: function(frame) {
// the href attribute is removed by the URL protocol check
return frame.tag === 'a' && !frame.attribs.href ? 'excludeTag' : false;
}
}
);
// Output: 'This is a bad link and a <a href="https://www.linux.org">good link</a>'
```
The `frame` object supplied to the callback provides the following attributes:

@@ -713,5 +728,5 @@

#### Discard disallowed but but the inner content of disallowed tags is kept.
#### Discard disallowed but the inner content of disallowed tags is kept.
If you set `disallowedTagsMode` to `discard`, disallowed tags are discarded but but the inner content of disallowed tags is kept.
If you set `disallowedTagsMode` to `discard`, disallowed tags are discarded but the inner content of disallowed tags is kept.

@@ -725,3 +740,3 @@ ```js

If you set `disallowedTagsMode` to `completelyDiscard`, disallowed tags and any content they contain are discarded. Any subtags are still included, as long as those individual subtags are allowed.
If you set `disallowedTagsMode` to `completelyDiscard`, disallowed tags and any text they contain are discarded. This also discards top-level text. Any subtags are still included, as long as those individual subtags are allowed.

@@ -728,0 +743,0 @@ ```js