strip-dom-tags
Safely strip all DOM tags from a string to prevent XSS attacks
This module exposes a single functions, that strips a HTML string from tags. It uses the browser DOMParser API (https://caniuse.com/#search=domparser) internally to do the parsing and stripping. It has no dependencies.
You can whitelist different tags and attributes that are allowed, but javascript:
attribute values will always be stripped.
This module only works in the browser, it will always return the empty string if invoked server-side.
Usage
stripTags(html : string, whitelistedTags = [] : string[], whitelistedAttributes = [] : string[], visitNode?: (node: Node) : Node) : string
html
- The string to strip from HTML tags.whitelistedTags
- A list of HTML tags that are allowed, like a
and img
. This is case-insensitive. The default is no tags are allowed.whitelistedAttributes
- A list of HTML attributes that are allwed, like href
and src
. The passed attributes will be allowed on any tag that is whitelisted. So it is possible for a a
tag to get a src
attribute. Note that attribute values starting with javascript:
or containing \n
will always be stripped.visitNode
- A function that will be invoked on every resulting DOM node after it has been stripped. You can use this to remove invalid attribute, or add target
attribute to a
tags for example. You can also return a different node (maybe replace img
with picture
).
Return value
The function returns a HTML string, that is stripped of all the listed tags.
Examples