Comparing version 2.2.1 to 3.0.0
{ | ||
"name": "striptags", | ||
"description": "PHP strip_tags in Node.js", | ||
"license": "MIT", | ||
"author": "Eric Norris (https://github.com/ericnorris)", | ||
"repository": { | ||
"type": "git", | ||
"url": "https://github.com/ericnorris/striptags.git" | ||
}, | ||
"main": "striptags.js", | ||
"homepage": "https://github.com/ericnorris/striptags", | ||
"bugs": "https://github.com/ericnorris/striptags/issues", | ||
"version": "2.2.1", | ||
"devDependencies": { | ||
"blanket": "~1.1.6", | ||
"mocha": "~2.1.0" | ||
}, | ||
"keywords": [ | ||
"striptags", | ||
"strip_tags", | ||
"html", | ||
"strip", | ||
"tags" | ||
], | ||
"scripts": { | ||
"test": "node ./node_modules/mocha/bin/mocha", | ||
"test-coverage": "node ./node_modules/mocha/bin/mocha --require blanket -R html-cov > coverage.html" | ||
}, | ||
"jshintConfig": { | ||
"node": true | ||
}, | ||
"config": { | ||
"blanket": { | ||
"pattern": "src/", | ||
"data-cover-reporter-options": { | ||
"shortnames": true | ||
} | ||
} | ||
} | ||
"name": "striptags", | ||
"description": "PHP strip_tags in Node.js", | ||
"license": "MIT", | ||
"author": "Eric Norris (https://github.com/ericnorris)", | ||
"repository": { | ||
"type": "git", | ||
"url": "https://github.com/ericnorris/striptags.git" | ||
}, | ||
"main": "src/striptags.js", | ||
"homepage": "https://github.com/ericnorris/striptags", | ||
"bugs": "https://github.com/ericnorris/striptags/issues", | ||
"version": "3.0.0", | ||
"devDependencies": { | ||
"istanbul": "^0.4.5", | ||
"mocha": "^3.2.0" | ||
}, | ||
"keywords": [ | ||
"striptags", | ||
"strip_tags", | ||
"html", | ||
"strip", | ||
"tags" | ||
], | ||
"scripts": { | ||
"test": "mocha", | ||
"coverage": "istanbul cover _mocha -- -R spec" | ||
} | ||
} |
@@ -8,3 +8,3 @@ # striptags [![Build Status](https://travis-ci.org/ericnorris/striptags.svg)](https://travis-ci.org/ericnorris/striptags) | ||
- 100% test code coverage | ||
- No unsafe regular expressions! | ||
- No unsafe regular expressions | ||
@@ -16,5 +16,5 @@ ## Installing | ||
## Usage | ||
## Basic Usage | ||
```javascript | ||
striptags(html, allowedTags, tagReplacement); | ||
striptags(html, allowed_tags, tag_replacement); | ||
``` | ||
@@ -32,3 +32,3 @@ | ||
striptags(html); | ||
striptags(html, '<a><strong>'); | ||
striptags(html, '<strong>'); | ||
striptags(html, ['a']); | ||
@@ -44,3 +44,3 @@ striptags(html, [], '\n'); | ||
``` | ||
'<a href="https://example.com">lorem ipsum <strong>dolor</strong> sit amet</a>' | ||
lorem ipsum <strong>dolor</strong> sit amet' | ||
``` | ||
@@ -59,3 +59,17 @@ | ||
## Streaming Mode | ||
`striptags` can also operate in streaming mode. Simply call `init_streaming_mode` to get back a function that accepts HTML and outputs stripped HTML. State is saved between calls so that partial HTML can be safely passed in. | ||
```javascript | ||
let stream_function = striptags.init_streaming_mode( | ||
allowed_tags, | ||
tag_replacement | ||
); | ||
let partial_text = stream_function(partial_html); | ||
let more_text = stream_function(more_html); | ||
``` | ||
Check out [test/striptags-test.js](test/striptags-test.js) for a concrete example. | ||
## Tests | ||
@@ -67,15 +81,11 @@ You can run tests (powered by [mocha](http://mochajs.org/)) locally via: | ||
Generate test coverage (powered by [blanket.js](http://blanketjs.org/)) via : | ||
Generate test coverage (powered by [istanbul](https://github.com/gotwarlost/istanbul)) via : | ||
``` | ||
npm run test-coverage | ||
npm run coverage | ||
``` | ||
## Differences between PHP strip_tags and striptags | ||
In this version, not much! This now closely resembles a 'port' from PHP 5.5's internal implementation of strip_tags, [php_strip_tags_ex](http://lxr.php.net/xref/PHP_5_5/ext/standard/string.c#php_strip_tags_ex). | ||
One major difference is that this JS version does not strip PHP-style tags; it seemed out of place in a node.js project. Let me know if this is important enough to consider including. | ||
## Doesn't use regular expressions | ||
striptags does not use any regular expressions for stripping HTML tags ([these](src/striptags.js#L7-L8) are used for detecting whitespace and parsing the allowedTags parameter, not finding HTML). | ||
`striptags` does not use any regular expressions for stripping HTML tags. | ||
Regular expressions are not capable of preventing all possible scripting attacks (see [this](http://stackoverflow.com/a/535022)). Here is a [great StackOverflow answer](http://stackoverflow.com/a/5793453) regarding how strip_tags (**when used without specifying allowableTags**) is not vulnerable to scripting attacks. |
'use strict'; | ||
/* global describe, it */ | ||
var assert = require('assert'), | ||
striptags = require('../'); | ||
let assert = require('assert'); | ||
let fs = require('fs'); | ||
let vm = require('vm'); | ||
let striptags = require('../'); | ||
/* global describe, it */ | ||
describe('striptags', function() { | ||
it('should not modify plain text', function() { | ||
var text = 'lorem ipsum < a>'; | ||
describe('#module', function() { | ||
let path = require.resolve('../'); | ||
let src = fs.readFileSync(path); | ||
let script = new vm.Script(src); | ||
assert.equal(striptags(text), text); | ||
}); | ||
it('should define a node module', function() { | ||
let module = { exports: {} }; | ||
it('should remove simple HTML tags', function() { | ||
var html = '<a href="">lorem <strong>ipsum</strong></a>', | ||
text = 'lorem ipsum'; | ||
script.runInNewContext({module}); | ||
assert.equal(striptags(html), text); | ||
}); | ||
assert.notEqual(module.exports, {}); | ||
}); | ||
it('should leave HTML tags if specified', function() { | ||
var html = '<strong>lorem ipsum</strong>', | ||
allowedTags = '<strong>'; | ||
it('should define an amd module', function() { | ||
let global = {}; | ||
let define = function(dependencies, module) { | ||
global.defined = module; | ||
}; | ||
assert.equal(striptags(html, allowedTags), html); | ||
}); | ||
define.amd = true; | ||
it('should leave attributes when allowing HTML', function() { | ||
var html = '<a href="https://example.com">lorem ipsum</a>', | ||
allowedTags = '<a>'; | ||
script.runInNewContext({global, define}); | ||
assert.equal(striptags(html, allowedTags), html); | ||
}); | ||
assert.notEqual(global.defined, null); | ||
}); | ||
it('should leave nested HTML tags if specified', function() { | ||
var html = '<div>lorem <strong>ipsum</strong></div>', | ||
strippedHtml = 'lorem <strong>ipsum</strong>', | ||
allowedTags = '<strong>'; | ||
it('should define a browser global', function() { | ||
let global = {}; | ||
assert.equal(striptags(html, allowedTags), strippedHtml); | ||
script.runInNewContext(global); | ||
assert.notEqual(global.striptags, null); | ||
}); | ||
}); | ||
it('should leave outer HTML tags if specified', function() { | ||
var html = '<div>lorem <strong>ipsum</strong></div>', | ||
strippedHtml = '<div>lorem ipsum</div>', | ||
allowedTags = '<div>'; | ||
describe('with no optional parameters', function() { | ||
it('should not strip invalid tags', function() { | ||
let text = 'lorem ipsum < a> < div>'; | ||
assert.equal(striptags(html, allowedTags), strippedHtml); | ||
}); | ||
assert.equal(striptags(text), text); | ||
}); | ||
it('should remove DOCTYPE declaration', function() { | ||
var html = '<!DOCTYPE html> lorem ipsum', | ||
text = ' lorem ipsum'; | ||
it('should remove simple HTML tags', function() { | ||
let html = '<a href="">lorem <strong>ipsum</strong></a>', | ||
text = 'lorem ipsum'; | ||
assert.equal(striptags(html), text); | ||
}); | ||
assert.equal(striptags(html), text); | ||
}); | ||
it('should remove comments', function() { | ||
var html = '<!-- lorem ipsum --> dolor sit amet', | ||
text = ' dolor sit amet'; | ||
it('should remove comments', function() { | ||
let html = '<!-- lorem -- ipsum -- --> dolor sit amet', | ||
text = ' dolor sit amet'; | ||
assert.equal(striptags(html), text); | ||
}); | ||
assert.equal(striptags(html), text); | ||
}); | ||
it('should strip <> within quotes', function() { | ||
var html = '<a href="<script>">lorem ipsum</a>', | ||
strippedHtml = '<a href="script">lorem ipsum</a>', | ||
allowedTags = '<a>'; | ||
it('should strip tags within comments', function() { | ||
let html = '<!-- <strong>lorem ipsum</strong> --> dolor sit', | ||
text = ' dolor sit'; | ||
assert.equal(striptags(html, allowedTags), strippedHtml); | ||
}); | ||
assert.equal(striptags(html), text); | ||
}); | ||
it('should strip extra < within tags', function() { | ||
var html = '<div<>>lorem ipsum</div>', | ||
strippedHtml = '<div>lorem ipsum</div>', | ||
allowedTags = '<div>'; | ||
assert.equal(striptags(html, allowedTags), strippedHtml); | ||
it('should not fail with nested quotes', function() { | ||
let html = '<article attr="foo \'bar\'">lorem</article> ipsum', | ||
text = 'lorem ipsum'; | ||
assert.equal(striptags(html), text); | ||
}); | ||
}); | ||
it('should strip tags within comments', function() { | ||
var html = '<!-- <strong>lorem ipsum</strong> --> dolor sit', | ||
text = ' dolor sit'; | ||
describe('#allowed_tags', function() { | ||
it('should parse a string', function() { | ||
let html = '<strong>lorem ipsum</strong>', | ||
allowed_tags = '<strong>'; | ||
assert.equal(striptags(html), text); | ||
}); | ||
assert.equal(striptags(html, allowed_tags), html); | ||
}); | ||
it('should strip comment-like tags', function() { | ||
var html = '<! lorem ipsum> dolor sit', | ||
text = ' dolor sit'; | ||
it('should take an array', function() { | ||
let html = '<strong>lorem <em>ipsum</em></strong>', | ||
allowed_tags = ['strong', 'em']; | ||
assert.equal(striptags(html), text); | ||
assert.equal(striptags(html, allowed_tags), html); | ||
}); | ||
}); | ||
it('should leave normal exclamation points alone', function() { | ||
var text = 'lorem ipsum! dolor sit amet'; | ||
describe('with allowable_tags parameter', function() { | ||
it('should leave attributes when allowing HTML', function() { | ||
let html = '<a href="https://example.com">lorem ipsum</a>', | ||
allowed_tags = '<a>'; | ||
assert.equal(striptags(text), text); | ||
}); | ||
assert.equal(striptags(html, allowed_tags), html); | ||
}); | ||
it('should allow an array parameter for allowable tags', function() { | ||
var html = '<strong>lorem <em>ipsum</em></strong>', | ||
allowedTags = ['strong', 'em']; | ||
it('should strip extra < within tags', function() { | ||
let html = '<div<>>lorem ipsum</div>', | ||
text = '<div>lorem ipsum</div>', | ||
allowed_tags = '<div>'; | ||
assert.equal(striptags(html, allowedTags), html); | ||
}); | ||
assert.equal(striptags(html, allowed_tags), text); | ||
}); | ||
it('should strip tags when an empty array is provided', function() { | ||
var html = '<article>lorem <a href="#">ipsum</a></article>', | ||
allowedTags = [], | ||
text = 'lorem ipsum'; | ||
it('should strip <> within quotes', function() { | ||
let html = '<a href="<script>">lorem ipsum</a>', | ||
text = '<a href="script">lorem ipsum</a>', | ||
allowed_tags = '<a>'; | ||
assert.equal(striptags(html, allowedTags), text); | ||
assert.equal(striptags(html, allowed_tags), text); | ||
}); | ||
}); | ||
it('should not fail with nested quotes', function() { | ||
var html = '<article attr="foo \'bar\'">lorem</article> ipsum', | ||
allowedTags = [], | ||
text = 'lorem ipsum'; | ||
describe('with tag_replacement parameter', function() { | ||
it('should replace tags with that parameter', function() { | ||
var html = 'Line One<br>Line Two', | ||
allowed_tags = [], | ||
tag_replacement = '\n', | ||
text = 'Line One\nLine Two'; | ||
assert.equal(striptags(html, allowedTags), text); | ||
assert.equal(striptags(html, allowed_tags, tag_replacement), text); | ||
}); | ||
}); | ||
it('should strip the tag\'s properties and attributes', function() { | ||
var html = '<a href="http://google.com" title="foo" data-id="0">Click here</a>', | ||
allowedTags = [], | ||
text = 'Click here'; | ||
describe('#streaming_mode', function() { | ||
it('should strip streamed HTML', function() { | ||
let striptags_stream = striptags.init_streaming_mode(); | ||
assert.equal(striptags(html, allowedTags), text); | ||
}); | ||
let part_one = striptags_stream('lorem ipsum <stro'); | ||
let part_two = striptags_stream('ng>dolor sit <'); | ||
let part_three = striptags_stream(' amet'); | ||
it('should replace with the tagReplacement parameter', function() { | ||
var html = 'Line One<br>Line Two', | ||
allowedTags = [], | ||
tagReplacement = '\n', | ||
text = 'Line One\nLine Two'; | ||
assert.equal(part_one, 'lorem ipsum '); | ||
assert.equal(part_two, 'dolor sit '); | ||
assert.equal(part_three, '< amet'); | ||
}); | ||
assert.equal(striptags(html, allowedTags, tagReplacement), text); | ||
it('should work with allowable_tags', function() { | ||
let striptags_stream = striptags.init_streaming_mode(['strong']); | ||
let part_one = striptags_stream('lorem ipsum <stro'); | ||
let part_two = striptags_stream('ng>dolor sit <'); | ||
let part_three = striptags_stream(' amet'); | ||
assert.equal(part_one, 'lorem ipsum '); | ||
assert.equal(part_two, '<strong>dolor sit '); | ||
assert.equal(part_three, '< amet'); | ||
}); | ||
}); | ||
}); |
Sorry, the diff of this file is not supported yet
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
Debug access
Supply chain riskUses debug, reflection and dynamic code execution features.
Found 1 instance in 1 package
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
86
16049
311
2
1