sanitize-html
Advanced tools
Comparing version 2.8.1 to 2.9.0
24
index.js
@@ -441,15 +441,20 @@ const htmlparser = require('htmlparser2'); | ||
if (a === 'style') { | ||
try { | ||
const abstractSyntaxTree = postcssParse(name + ' {' + value + '}'); | ||
const filteredAST = filterCss(abstractSyntaxTree, options.allowedStyles); | ||
if (options.parseStyleAttributes) { | ||
try { | ||
const abstractSyntaxTree = postcssParse(name + ' {' + value + '}'); | ||
const filteredAST = filterCss(abstractSyntaxTree, options.allowedStyles); | ||
value = stringifyStyleAttributes(filteredAST); | ||
value = stringifyStyleAttributes(filteredAST); | ||
if (value.length === 0) { | ||
if (value.length === 0) { | ||
delete frame.attribs[a]; | ||
return; | ||
} | ||
} catch (e) { | ||
console.warn('Failed to parse "' + name + ' {' + value + '}' + '", If you\'re running this in a browser, we recommend to disable style parsing: options.parseStyleAttributes: false, since this only works in a node environment due to a postcss dependency, More info: https://github.com/apostrophecms/sanitize-html/issues/547'); | ||
delete frame.attribs[a]; | ||
return; | ||
} | ||
} catch (e) { | ||
delete frame.attribs[a]; | ||
return; | ||
} else if (options.allowedStyles) { | ||
throw new Error('allowedStyles option cannot be used together with parseStyleAttributes: false.'); | ||
} | ||
@@ -822,3 +827,4 @@ } | ||
allowProtocolRelative: true, | ||
enforceHtmlBoundary: false | ||
enforceHtmlBoundary: false, | ||
parseStyleAttributes: true | ||
}; | ||
@@ -825,0 +831,0 @@ |
{ | ||
"name": "sanitize-html", | ||
"version": "2.8.1", | ||
"version": "2.9.0", | ||
"description": "Clean up user-submitted HTML, preserving allowlisted elements and allowlisted attributes on a per-element basis", | ||
@@ -5,0 +5,0 @@ "sideEffects": false, |
@@ -142,3 +142,4 @@ # sanitize-html | ||
allowProtocolRelative: true, | ||
enforceHtmlBoundary: false | ||
enforceHtmlBoundary: false, | ||
parseStyleAttributes: true | ||
``` | ||
@@ -628,2 +629,20 @@ | ||
### Ignore style attribute contents | ||
Instead of discarding faulty style attributes, you can allow them by disabling the parsing of style attributes: | ||
```js | ||
parseStyleAttributes: false | ||
``` | ||
This will transform `<div style="invalid-prop: non-existing-value">content</div>` to `<div style="invalid-prop: non-existing-value">content</div>` instead of stripping it: `<div>content</div>` | ||
By default the parseStyleAttributes option is true. | ||
When you disable parsing of the style attribute (`parseStyleAttributes: false`) and you pass in options for the allowedStyles property, an error will be thrown. This combination is not permitted. | ||
we recommend sanitizing content server-side in a Node.js environment, as you cannot trust a browser to sanitize things anyway. Consider what a malicious user could do via the network panel, | ||
the browser console, or just by writing scripts that submit content similar to what your JavaScript submits. But if you really need to run it on the client in the browser, | ||
you may find you need to disable parseStyleAttributes. This is subject to change as it is [an upstream issue with postcss](https://github.com/postcss/postcss/issues/1727), not sanitize-html itself. | ||
### Restricting deep nesting | ||
@@ -630,0 +649,0 @@ |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
54958
776
663