sanitize-html
Advanced tools
Comparing version 2.4.0 to 2.5.0
# Changelog | ||
## 2.5.0 (2021-09-08): | ||
- New `allowedScriptHostnames` option, it enables you to specify which hostnames are allowed in a script tag. | ||
- New `allowedScriptDomains` option, it enables you to specify which domains are allowed in a script tag. Thank you to [Yorick Girard](https://github.com/yorickgirard) for this and the `allowedScriptHostnames` contribution. | ||
- Updates whitelist to allowlist. | ||
## 2.4.0 (2021-05-19): | ||
@@ -4,0 +10,0 @@ - Added support for class names with wildcards in `allowedClasses`. Thanks to [zhangbenber](https://github.com/zhangbenber) for the contribution. |
35
index.js
@@ -318,2 +318,29 @@ const htmlparser = require('htmlparser2'); | ||
} | ||
if (name === 'script' && a === 'src') { | ||
let allowed = true; | ||
frame.innerText = ''; | ||
try { | ||
const parsed = new URL(value); | ||
if (options.allowedScriptHostnames || options.allowedScriptDomains) { | ||
const allowedHostname = (options.allowedScriptHostnames || []).find(function (hostname) { | ||
return hostname === parsed.hostname; | ||
}); | ||
const allowedDomain = (options.allowedScriptDomains || []).find(function(domain) { | ||
return parsed.hostname === domain || parsed.hostname.endsWith(`.${domain}`); | ||
}); | ||
allowed = allowedHostname || allowedDomain; | ||
} | ||
} catch (e) { | ||
allowed = false; | ||
} | ||
if (!allowed) { | ||
delete frame.attribs[a]; | ||
return; | ||
} | ||
} | ||
if (name === 'iframe' && a === 'src') { | ||
@@ -615,3 +642,3 @@ let allowed = true; | ||
/** | ||
* Filters user input css properties by whitelisted regex attributes. | ||
* Filters user input css properties by allowlisted regex attributes. | ||
* | ||
@@ -669,6 +696,6 @@ * @param {object} abstractSyntaxTree - Object representation of CSS attributes. | ||
* Filters the existing attributes for the given property. Discards any attributes | ||
* which don't match the whitelist. | ||
* which don't match the allowlist. | ||
* | ||
* @param {object} selectedRule - Example: { color: red, font-family: helvetica } | ||
* @param {array} allowedDeclarationsList - List of declarations which pass whitelisting. | ||
* @param {array} allowedDeclarationsList - List of declarations which pass the allowlist. | ||
* @param {object} attributeObject - Object representing the current css property. | ||
@@ -682,3 +709,3 @@ * @property {string} attributeObject.type - Typically 'declaration'. | ||
return function (allowedDeclarationsList, attributeObject) { | ||
// If this property is whitelisted... | ||
// If this property is allowlisted... | ||
if (has(selectedRule, attributeObject.prop)) { | ||
@@ -685,0 +712,0 @@ const matchesRegex = selectedRule[attributeObject.prop].some(function(regularExpression) { |
{ | ||
"name": "sanitize-html", | ||
"version": "2.4.0", | ||
"description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis", | ||
"version": "2.5.0", | ||
"description": "Clean up user-submitted HTML, preserving allowlisted elements and allowlisted attributes on a per-element basis", | ||
"sideEffects": false, | ||
@@ -6,0 +6,0 @@ "main": "index.js", |
@@ -32,3 +32,3 @@ # sanitize-html | ||
sanitize-html is not written in TypeScript and there is no plan to directly support it. There is a community supported typing definition, [`@types/sanitize-html`](https://www.npmjs.com/package/@types/sanitize-html), however. | ||
```bash | ||
```bash | ||
npm install -D @types/sanitize-html | ||
@@ -55,3 +55,3 @@ ``` | ||
```bash | ||
npm install sanitize-html | ||
npm install sanitize-html | ||
``` | ||
@@ -252,3 +252,3 @@ or | ||
If you wish to allow specific CSS _styles_ on a particular element, you can do that with the `allowedStyles` option. Simply declare your desired attributes as regular expression options within an array for the given attribute. Specific elements will inherit whitelisted attributes from the global (`*`) attribute. Any other CSS classes are discarded. | ||
If you wish to allow specific CSS _styles_ on a particular element, you can do that with the `allowedStyles` option. Simply declare your desired attributes as regular expression options within an array for the given attribute. Specific elements will inherit allowlisted attributes from the global (`*`) attribute. Any other CSS classes are discarded. | ||
@@ -522,2 +522,28 @@ **You must also use `allowedAttributes`** to activate the `style` attribute for the relevant elements. Otherwise this feature will never come into play. | ||
### Script Filters | ||
Similarly to iframes you can allow a script tag on a list of allowlisted domains | ||
```js | ||
const clean = sanitizeHtml('<script src="https://www.safe.authorized.com/lib.js"></script>', { | ||
allowedTags: ['script'], | ||
allowedAttributes: { | ||
script: ['src'] | ||
}, | ||
allowedScriptDomains: ['authorized.com'], | ||
}) | ||
``` | ||
You can allow a script tag on a list of allowlisted hostnames too | ||
```js | ||
const clean = sanitizeHtml('<script src="https://www.authorized.com/lib.js"></script>', { | ||
allowedTags: ['script'], | ||
allowedAttributes: { | ||
script: ['src'] | ||
}, | ||
allowedScriptHostnames: [ 'www.authorized.com' ], | ||
}) | ||
``` | ||
### Allowed URL schemes | ||
@@ -524,0 +550,0 @@ |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
73108
733
633