sanitize-html
Advanced tools
Changelog
1.11.4:
fixed crash when __proto__
is a tag name. Now using a safe check for the existence of properties in all cases. Thanks to Andrew Krasichkov.
Fixed XSS attack vector via textarea
tags (when explicitly allowed). Decided that script
(obviously) and style
(due to its own XSS vectors) cannot realistically be afforded any XSS protection if allowed, unless we add a full CSS parser. Thanks again to Andrew Krasichkov.
Changelog
1.11.3:
bumped htmlparser2
version to address crashing bug in older version. Thanks to e-jigsaw.
Changelog
1.11.2:
fixed README typo that interfered with readability due to markdown issues. No code changes. Thanks to Mikael Korpela. Also improved code block highlighting in README. Thanks to Alex Siman.
Changelog
1.11.1:
fixed a regression introduced in 1.11.0 which caused the closing tag of the parent of a textarea
tag to be lost. Thanks to Stefano Sala, who contributed the missing test.
Changelog
1.10.0:
allowedAttributes
now allows you to allow attributes for all tags by specifying *
as the tag name. Thanks to Zdravko Georgiev.
Changelog
1.9.0:
parser
option allows options to be passed directly to htmlparser
. Thanks to Danny Scott.
Changelog
1.8.0:
transformTags
now accepts the *
wildcard to transform all tags. Thanks to Jamy Timmermans.
Text that has been modified by transformTags
is then passed through textFilter
. Thanks to Pavlo Yurichuk.
Content inside textarea
is discarded if textarea
is not allowed. I don't know why it took me this long to see that this is just common sense. Thanks to David Frank.