sanitize-html - npm Package Compare versions

Comparing version 2.5.1 to 2.5.2

CHANGELOG.md

		# Changelog

		## 2.5.2 (2021-10-13):

		- Nullish HTML input now returns an empty string. Nullish value may be explicit `null`, `undefined` or implicit `undefined` when value is not provided. Thanks to Artem Kostiuk for the contribution.
		- Documented that all text content is escaped. Thanks to Siddharth Singh.

		## 2.5.1 (2021-09-14):
		@@ -4,0 +9,0 @@ - The `allowedScriptHostnames` and `allowedScriptDomains` options now implicitly purge the inline content of all script tags, not just those with `src` attributes. This behavior was already strongly implied by the fact that they purged it in the case where a `src` attribute was actually present, and is necessary for the feature to provide any real security. Thanks to Grigorii Duca for pointing out the issue.

index.js

		@@ -84,2 +84,6 @@ const htmlparser = require('htmlparser2');
		function sanitizeHtml(html, options, _recursing) {
		if (html == null) {
		return '';
		}

		let result = '';
		@@ -86,0 +90,0 @@ // Used for hot swapping the result variable with an empty string in order to "capture" the text written to it.

package.json

		{
		"name": "sanitize-html",
		"version": "2.5.1",
		"version": "2.5.2",
		"description": "Clean up user-submitted HTML, preserving allowlisted elements and allowlisted attributes on a per-element basis",
		@@ -5,0 +5,0 @@ "sideEffects": false,

README.md

		@@ -24,2 +24,3 @@ # sanitize-html
		HTML comments are not preserved.
		Additionally, `sanitize-html` escapes _ALL_ text content - this means that ampersands, greater-than, and less-than signs are converted to their equivalent HTML character references (`&` --> `&`, `<` --> `<`, and so on). Additionally, in attribute values, quotation marks are escaped as well (`"` --> `"`).

		@@ -26,0 +27,0 @@ ## Requirements

New alerts