sanitize-html - npm Package Compare versions

Comparing version 2.4.0 to 2.5.0

CHANGELOG.md

		# Changelog

		## 2.5.0 (2021-09-08):

		- New `allowedScriptHostnames` option, it enables you to specify which hostnames are allowed in a script tag.
		- New `allowedScriptDomains` option, it enables you to specify which domains are allowed in a script tag. Thank you to [Yorick Girard](https://github.com/yorickgirard) for this and the `allowedScriptHostnames` contribution.
		- Updates whitelist to allowlist.

		## 2.4.0 (2021-05-19):
		@@ -4,0 +10,0 @@ - Added support for class names with wildcards in `allowedClasses`. Thanks to [zhangbenber](https://github.com/zhangbenber) for the contribution.

index.js

		@@ -318,2 +318,29 @@ const htmlparser = require('htmlparser2');
		}
		if (name === 'script' && a === 'src') {
		let allowed = true;

		frame.innerText = '';

		try {
		const parsed = new URL(value);

		if (options.allowedScriptHostnames \|\| options.allowedScriptDomains) {
		const allowedHostname = (options.allowedScriptHostnames \|\| []).find(function (hostname) {
		return hostname === parsed.hostname;
		});
		const allowedDomain = (options.allowedScriptDomains \|\| []).find(function(domain) {
		return parsed.hostname === domain \|\| parsed.hostname.endsWith(`.${domain}`);
		});
		allowed = allowedHostname \|\| allowedDomain;
		}
		} catch (e) {
		allowed = false;
		}

		if (!allowed) {
		delete frame.attribs[a];
		return;
		}
		}

		if (name === 'iframe' && a === 'src') {
		@@ -615,3 +642,3 @@ let allowed = true;
		/**
		* Filters user input css properties by whitelisted regex attributes.
		* Filters user input css properties by allowlisted regex attributes.
		*
		@@ -669,6 +696,6 @@ * @param {object} abstractSyntaxTree - Object representation of CSS attributes.
		* Filters the existing attributes for the given property. Discards any attributes
		* which don't match the whitelist.
		* which don't match the allowlist.
		*
		* @param {object} selectedRule - Example: { color: red, font-family: helvetica }
		* @param {array} allowedDeclarationsList - List of declarations which pass whitelisting.
		* @param {array} allowedDeclarationsList - List of declarations which pass the allowlist.
		* @param {object} attributeObject - Object representing the current css property.
		@@ -682,3 +709,3 @@ * @property {string} attributeObject.type - Typically 'declaration'.
		return function (allowedDeclarationsList, attributeObject) {
		// If this property is whitelisted...
		// If this property is allowlisted...
		if (has(selectedRule, attributeObject.prop)) {
		@@ -685,0 +712,0 @@ const matchesRegex = selectedRule[attributeObject.prop].some(function(regularExpression) {

package.json

		{
		"name": "sanitize-html",
		"version": "2.4.0",
		"description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis",
		"version": "2.5.0",
		"description": "Clean up user-submitted HTML, preserving allowlisted elements and allowlisted attributes on a per-element basis",
		"sideEffects": false,
		@@ -6,0 +6,0 @@ "main": "index.js",

README.md

		@@ -32,3 +32,3 @@ # sanitize-html
		sanitize-html is not written in TypeScript and there is no plan to directly support it. There is a community supported typing definition, [`@types/sanitize-html`](https://www.npmjs.com/package/@types/sanitize-html), however.
		```bash
		```bash
		npm install -D @types/sanitize-html
		@@ -55,3 +55,3 @@ ```
		```bash
		npm install sanitize-html
		npm install sanitize-html
		```
		@@ -252,3 +252,3 @@ or

		If you wish to allow specific CSS _styles_ on a particular element, you can do that with the `allowedStyles` option. Simply declare your desired attributes as regular expression options within an array for the given attribute. Specific elements will inherit whitelisted attributes from the global (`*`) attribute. Any other CSS classes are discarded.
		If you wish to allow specific CSS _styles_ on a particular element, you can do that with the `allowedStyles` option. Simply declare your desired attributes as regular expression options within an array for the given attribute. Specific elements will inherit allowlisted attributes from the global (`*`) attribute. Any other CSS classes are discarded.

		@@ -522,2 +522,28 @@ You must also use `allowedAttributes` to activate the `style` attribute for the relevant elements. Otherwise this feature will never come into play.

		### Script Filters

		Similarly to iframes you can allow a script tag on a list of allowlisted domains

		```js
		const clean = sanitizeHtml('<script src="https://www.safe.authorized.com/lib.js"></script>', {
		allowedTags: ['script'],
		allowedAttributes: {
		script: ['src']
		},
		allowedScriptDomains: ['authorized.com'],
		})
		```

		You can allow a script tag on a list of allowlisted hostnames too

		```js
		const clean = sanitizeHtml('<script src="https://www.authorized.com/lib.js"></script>', {
		allowedTags: ['script'],
		allowedAttributes: {
		script: ['src']
		},
		allowedScriptHostnames: [ 'www.authorized.com' ],
		})
		```

		### Allowed URL schemes
		@@ -524,0 +550,0 @@

sanitize-html - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics