Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
The 'striptags' npm package is a utility for stripping HTML and XML tags from a string. It is useful for sanitizing user input, cleaning up text for display, and ensuring that text content is free from potentially harmful or unwanted HTML tags.
Basic HTML Tag Removal
This feature allows you to remove all HTML tags from a string, leaving only the text content.
const striptags = require('striptags');
const text = striptags('<p>Hello <strong>world</strong>!</p>');
console.log(text); // Output: 'Hello world!'
Allow Specific Tags
This feature allows you to specify which HTML tags should be allowed to remain in the string while stripping all others.
const striptags = require('striptags');
const text = striptags('<p>Hello <strong>world</strong>!</p>', ['strong']);
console.log(text); // Output: 'Hello <strong>world</strong>!'
Strip Tags with Whitelist
This feature allows you to strip tags while using a whitelist of allowed tags, providing more control over the sanitization process.
const striptags = require('striptags');
const text = striptags('<p>Hello <strong>world</strong>!</p>', [], '<>');
console.log(text); // Output: 'Hello world!'
The 'sanitize-html' package provides a more comprehensive solution for sanitizing HTML content. It allows for more granular control over which tags and attributes are allowed, and can also handle nested tags and complex HTML structures. Compared to 'striptags', 'sanitize-html' offers more advanced sanitization options but may be more complex to configure.
The 'xss' package is designed to filter out potential XSS (Cross-Site Scripting) attacks by sanitizing HTML content. It provides a high level of security by default and allows for customization of allowed tags and attributes. 'xss' is more focused on security compared to 'striptags', making it a better choice for applications where preventing XSS is a primary concern.
The 'html-entities' package is used to encode and decode HTML entities. While it does not strip tags, it can be used in conjunction with other packages to ensure that HTML entities are properly handled. It is more focused on encoding and decoding rather than sanitization, making it a complementary tool rather than a direct alternative to 'striptags'.
An implementation of PHP's strip_tags in Node.js.
Note: v3+
targets ES6, and is therefore incompatible with the master branch of uglifyjs
. You can either:
babili
, which supports ES6harmony
branch of uglifyjs
npm install striptags
striptags(html, allowed_tags, tag_replacement);
var striptags = require('striptags');
var html =
'<a href="https://example.com">' +
'lorem ipsum <strong>dolor</strong> <em>sit</em> amet' +
'</a>';
striptags(html);
striptags(html, '<strong>');
striptags(html, ['a']);
striptags(html, [], '\n');
Outputs:
'lorem ipsum dolor sit amet'
lorem ipsum <strong>dolor</strong> sit amet'
'<a href="https://example.com">lorem ipsum dolor sit amet</a>'
lorem ipsum
dolor
sit
amet
striptags
can also operate in streaming mode. Simply call init_streaming_mode
to get back a function that accepts HTML and outputs stripped HTML. State is saved between calls so that partial HTML can be safely passed in.
let stream_function = striptags.init_streaming_mode(
allowed_tags,
tag_replacement
);
let partial_text = stream_function(partial_html);
let more_text = stream_function(more_html);
Check out test/striptags-test.js for a concrete example.
You can run tests (powered by mocha) locally via:
npm test
Generate test coverage (powered by istanbul) via :
npm run coverage
striptags
does not use any regular expressions for stripping HTML tags.
Regular expressions are not capable of preventing all possible scripting attacks (see this). Here is a great StackOverflow answer regarding how strip_tags (when used without specifying allowableTags) is not vulnerable to scripting attacks.
FAQs
PHP strip_tags in Node.js
The npm package striptags receives a total of 653,769 weekly downloads. As such, striptags popularity was classified as popular.
We found that striptags demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.