sanitize-html
Advanced tools
Changelog
2.0.0-rc.1 (2020-08-26):
klona
package. Thanks to Bogdan Chadkin for the contribution.Changelog
1.27.4 (2020-08-26):
Array.prototype.includes
, replacing it with Array.prototype.indexOf
.Changelog
1.27.3 (2020-08-12):
transformTags
with out textFilter
. Thanks to Andrzej Porebski for the help with a failing test.Changelog
2.0.0-beta.2:
files
to package.json
to prevent publishing unnecessary files to npm #392. Thanks to styfle for the contribution.iframe
and nl
from default allowed tags. Adds most innocuous tags to the default allowedTags
array.transformTags
with out textFilter
. Thanks to Andrzej Porebski for the help with a failing test.Changelog
1.27.2 (2020-07-29):
srcset
with parse-srcset
. Thanks to Massimiliano Mirra for the contribution.Changelog
2.0.0-beta:
index.js
file to the project root and removes all build steps within the package. Going forward, it is up to the developer to include sanitize-html in their project builds as-needed. This removes major points of conflict with project code and frees this module to not worry about myriad build-related questions.innerText
. Thanks to Mike Samuel for the contribution. Prior to this patch, tag transformations which turned an attribute
value into a text node could be vulnerable to code execution.const
/let
variable assignment.is-plain-object
to the 4.x major version.srcset
to the 3.x major version.Thanks to Bogdan Chadkin for contributions to this major version update.
Changelog
1.27.1 (2020-07-15):
xtend
package with native Object.assign
.Changelog
1.27.0:
allowedIframeDomains
option. This works similar to allowedIframeHostnames
, where you would set it to an array of web domains. It would then permit any hostname on those domains to be used in iframe src
attributes. Thanks to Stanislav Kravchenko for the contribution.Changelog
1.26.0:
option
element to the default nonTextTagsArray
of tags with contents that aren't meant to be displayed visually as text. This can be overridden with the nonTextTags
option.Changelog
1.25.0:
enforceHtmlBoundary
option to process code bounded by the html
tag, discarding any code outside of those tags.style
and script
tags are allowed, as they are inherently vulnerable to being used in XSS attacks. That warning can be disabled by including the option allowVulnerableTags: true
so this choice is knowing and explicit.