sanitize-html - npm Package Versions

1.19.2:

• Switched out the heavy postcss dependency for the lightweight css-tree module. No API changes. Thanks to Justin Braithwaite.
• Various doc updates. Thanks to Pulkit Aggarwal and Cody Robertson.

1.19.1:

• " characters are now entity-escaped only when they appear in attribute values, reducing the verbosity of the resulting markup.

• Fixed a regression introduced in version 1.18.5 in the handling of markup that looks similar to a valid entity, but isn't. The bogus entity was passed through intact, i.e. &0; did not become &0; as it should have. This fix has been made for the default parser settings only. There is no fix yet for those who wish to enable decodeEntities: false. That will require improving the alternative encoder in the escapeHtml function to only pass 100% valid entities.

For those using the default parser settings this bug is fixed. Read on if you are using alternative parser settings.

When decodeEntities: true is in effect (the default), this is not a problem because we only have to encode & < > " and we always encode those things.

There is currently a commented-out test which verifies one example of the problem when decodeEntities is false. However a correct implementation would need to not only pass that simple example but correctly escape all invalid entities, and not escape those that are valid.

1.19.0:

• New allowIframeRelativeUrls option. It defaults to true unless allowedIframeHostnames is present, in which case it defaults to false, for backwards compatibility with existing behavior in both cases; however you can now set the option explicitly to allow both certain hostnames and relative URLs. Thanks to Rick Martin.

1.18.5:

• Stop double encoding ampersands on HTML entities. Thanks to Will Gibson.

1.18.4:

• Removed incorrect browser key, restoring frontend build. Thanks to Felix Becker.

1.18.3:

• iframe is an allowed tag by default, to better facilitate typical use cases and the use of the allowedIframeHostnames option.
• Documentation improvements.
• More browser packaging improvements.
• Protocol-relative URLs are properly supported for iframe tags.

1.18.2:

• Travis tests passing.
• Fixed another case issue — and instituted Travis CI testing so this doesn't happen again. Sorry for the hassle.

1.18.1:

• A file was required with incorrect case, breaking the library on case sensitive filesystems such as Linux. Fixed.

1.18.0:

• The new allowedSchemesAppliedToAttributes option. This determines which attributes are validated as URLs, replacing the old hardcoded list of src and href only. The default list now includes cite. Thanks to ml-dublin for this contribution.
• It is now easy to configure a specific list of allowed values for an attribute. When configuring allowedAttributes, rather than listing an attribute name, simply list an object with an attribute name property and an allowed values array property. You can also add multiple: true to allow multiple space-separated allowed values in the attribute, otherwise the attribute must match one and only one of the allowed values. Thanks again to ml-dublin for this contribution.
• Fixed a bug in the npm test procedure.

1.17.0:

The new allowedIframeHostnames option. If present, this must be an array, and only iframe src URLs hostnames (complete hostnames; domain name matches are not enough) that appear on this list are allowed. You must also configure hostname as an allowed attribute for iframe. Thanks to Ryan Verys for this contribution.