Socket
Socket
Sign inDemoInstall

striptags

Package Overview
Dependencies
Maintainers
1
Versions
20
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

striptags - npm Package Compare versions

Comparing version 2.2.1 to 3.0.0

src/striptags.js

65

package.json
{
"name": "striptags",
"description": "PHP strip_tags in Node.js",
"license": "MIT",
"author": "Eric Norris (https://github.com/ericnorris)",
"repository": {
"type": "git",
"url": "https://github.com/ericnorris/striptags.git"
},
"main": "striptags.js",
"homepage": "https://github.com/ericnorris/striptags",
"bugs": "https://github.com/ericnorris/striptags/issues",
"version": "2.2.1",
"devDependencies": {
"blanket": "~1.1.6",
"mocha": "~2.1.0"
},
"keywords": [
"striptags",
"strip_tags",
"html",
"strip",
"tags"
],
"scripts": {
"test": "node ./node_modules/mocha/bin/mocha",
"test-coverage": "node ./node_modules/mocha/bin/mocha --require blanket -R html-cov > coverage.html"
},
"jshintConfig": {
"node": true
},
"config": {
"blanket": {
"pattern": "src/",
"data-cover-reporter-options": {
"shortnames": true
}
}
}
"name": "striptags",
"description": "PHP strip_tags in Node.js",
"license": "MIT",
"author": "Eric Norris (https://github.com/ericnorris)",
"repository": {
"type": "git",
"url": "https://github.com/ericnorris/striptags.git"
},
"main": "src/striptags.js",
"homepage": "https://github.com/ericnorris/striptags",
"bugs": "https://github.com/ericnorris/striptags/issues",
"version": "3.0.0",
"devDependencies": {
"istanbul": "^0.4.5",
"mocha": "^3.2.0"
},
"keywords": [
"striptags",
"strip_tags",
"html",
"strip",
"tags"
],
"scripts": {
"test": "mocha",
"coverage": "istanbul cover _mocha -- -R spec"
}
}

34

README.md

@@ -8,3 +8,3 @@ # striptags [![Build Status](https://travis-ci.org/ericnorris/striptags.svg)](https://travis-ci.org/ericnorris/striptags)

- 100% test code coverage
- No unsafe regular expressions!
- No unsafe regular expressions

@@ -16,5 +16,5 @@ ## Installing

## Usage
## Basic Usage
```javascript
striptags(html, allowedTags, tagReplacement);
striptags(html, allowed_tags, tag_replacement);
```

@@ -32,3 +32,3 @@

striptags(html);
striptags(html, '<a><strong>');
striptags(html, '<strong>');
striptags(html, ['a']);

@@ -44,3 +44,3 @@ striptags(html, [], '\n');

```
'<a href="https://example.com">lorem ipsum <strong>dolor</strong> sit amet</a>'
lorem ipsum <strong>dolor</strong> sit amet'
```

@@ -59,3 +59,17 @@

## Streaming Mode
`striptags` can also operate in streaming mode. Simply call `init_streaming_mode` to get back a function that accepts HTML and outputs stripped HTML. State is saved between calls so that partial HTML can be safely passed in.
```javascript
let stream_function = striptags.init_streaming_mode(
allowed_tags,
tag_replacement
);
let partial_text = stream_function(partial_html);
let more_text = stream_function(more_html);
```
Check out [test/striptags-test.js](test/striptags-test.js) for a concrete example.
## Tests

@@ -67,15 +81,11 @@ You can run tests (powered by [mocha](http://mochajs.org/)) locally via:

Generate test coverage (powered by [blanket.js](http://blanketjs.org/)) via :
Generate test coverage (powered by [istanbul](https://github.com/gotwarlost/istanbul)) via :
```
npm run test-coverage
npm run coverage
```
## Differences between PHP strip_tags and striptags
In this version, not much! This now closely resembles a 'port' from PHP 5.5's internal implementation of strip_tags, [php_strip_tags_ex](http://lxr.php.net/xref/PHP_5_5/ext/standard/string.c#php_strip_tags_ex).
One major difference is that this JS version does not strip PHP-style tags; it seemed out of place in a node.js project. Let me know if this is important enough to consider including.
## Doesn't use regular expressions
striptags does not use any regular expressions for stripping HTML tags ([these](src/striptags.js#L7-L8) are used for detecting whitespace and parsing the allowedTags parameter, not finding HTML).
`striptags` does not use any regular expressions for stripping HTML tags.
Regular expressions are not capable of preventing all possible scripting attacks (see [this](http://stackoverflow.com/a/535022)). Here is a [great StackOverflow answer](http://stackoverflow.com/a/5793453) regarding how strip_tags (**when used without specifying allowableTags**) is not vulnerable to scripting attacks.

208

test/striptags-test.js
'use strict';
/* global describe, it */
var assert = require('assert'),
striptags = require('../');
let assert = require('assert');
let fs = require('fs');
let vm = require('vm');
let striptags = require('../');
/* global describe, it */
describe('striptags', function() {
it('should not modify plain text', function() {
var text = 'lorem ipsum < a>';
describe('#module', function() {
let path = require.resolve('../');
let src = fs.readFileSync(path);
let script = new vm.Script(src);
assert.equal(striptags(text), text);
});
it('should define a node module', function() {
let module = { exports: {} };
it('should remove simple HTML tags', function() {
var html = '<a href="">lorem <strong>ipsum</strong></a>',
text = 'lorem ipsum';
script.runInNewContext({module});
assert.equal(striptags(html), text);
});
assert.notEqual(module.exports, {});
});
it('should leave HTML tags if specified', function() {
var html = '<strong>lorem ipsum</strong>',
allowedTags = '<strong>';
it('should define an amd module', function() {
let global = {};
let define = function(dependencies, module) {
global.defined = module;
};
assert.equal(striptags(html, allowedTags), html);
});
define.amd = true;
it('should leave attributes when allowing HTML', function() {
var html = '<a href="https://example.com">lorem ipsum</a>',
allowedTags = '<a>';
script.runInNewContext({global, define});
assert.equal(striptags(html, allowedTags), html);
});
assert.notEqual(global.defined, null);
});
it('should leave nested HTML tags if specified', function() {
var html = '<div>lorem <strong>ipsum</strong></div>',
strippedHtml = 'lorem <strong>ipsum</strong>',
allowedTags = '<strong>';
it('should define a browser global', function() {
let global = {};
assert.equal(striptags(html, allowedTags), strippedHtml);
script.runInNewContext(global);
assert.notEqual(global.striptags, null);
});
});
it('should leave outer HTML tags if specified', function() {
var html = '<div>lorem <strong>ipsum</strong></div>',
strippedHtml = '<div>lorem ipsum</div>',
allowedTags = '<div>';
describe('with no optional parameters', function() {
it('should not strip invalid tags', function() {
let text = 'lorem ipsum < a> < div>';
assert.equal(striptags(html, allowedTags), strippedHtml);
});
assert.equal(striptags(text), text);
});
it('should remove DOCTYPE declaration', function() {
var html = '<!DOCTYPE html> lorem ipsum',
text = ' lorem ipsum';
it('should remove simple HTML tags', function() {
let html = '<a href="">lorem <strong>ipsum</strong></a>',
text = 'lorem ipsum';
assert.equal(striptags(html), text);
});
assert.equal(striptags(html), text);
});
it('should remove comments', function() {
var html = '<!-- lorem ipsum --> dolor sit amet',
text = ' dolor sit amet';
it('should remove comments', function() {
let html = '<!-- lorem -- ipsum -- --> dolor sit amet',
text = ' dolor sit amet';
assert.equal(striptags(html), text);
});
assert.equal(striptags(html), text);
});
it('should strip <> within quotes', function() {
var html = '<a href="<script>">lorem ipsum</a>',
strippedHtml = '<a href="script">lorem ipsum</a>',
allowedTags = '<a>';
it('should strip tags within comments', function() {
let html = '<!-- <strong>lorem ipsum</strong> --> dolor sit',
text = ' dolor sit';
assert.equal(striptags(html, allowedTags), strippedHtml);
});
assert.equal(striptags(html), text);
});
it('should strip extra < within tags', function() {
var html = '<div<>>lorem ipsum</div>',
strippedHtml = '<div>lorem ipsum</div>',
allowedTags = '<div>';
assert.equal(striptags(html, allowedTags), strippedHtml);
it('should not fail with nested quotes', function() {
let html = '<article attr="foo \'bar\'">lorem</article> ipsum',
text = 'lorem ipsum';
assert.equal(striptags(html), text);
});
});
it('should strip tags within comments', function() {
var html = '<!-- <strong>lorem ipsum</strong> --> dolor sit',
text = ' dolor sit';
describe('#allowed_tags', function() {
it('should parse a string', function() {
let html = '<strong>lorem ipsum</strong>',
allowed_tags = '<strong>';
assert.equal(striptags(html), text);
});
assert.equal(striptags(html, allowed_tags), html);
});
it('should strip comment-like tags', function() {
var html = '<! lorem ipsum> dolor sit',
text = ' dolor sit';
it('should take an array', function() {
let html = '<strong>lorem <em>ipsum</em></strong>',
allowed_tags = ['strong', 'em'];
assert.equal(striptags(html), text);
assert.equal(striptags(html, allowed_tags), html);
});
});
it('should leave normal exclamation points alone', function() {
var text = 'lorem ipsum! dolor sit amet';
describe('with allowable_tags parameter', function() {
it('should leave attributes when allowing HTML', function() {
let html = '<a href="https://example.com">lorem ipsum</a>',
allowed_tags = '<a>';
assert.equal(striptags(text), text);
});
assert.equal(striptags(html, allowed_tags), html);
});
it('should allow an array parameter for allowable tags', function() {
var html = '<strong>lorem <em>ipsum</em></strong>',
allowedTags = ['strong', 'em'];
it('should strip extra < within tags', function() {
let html = '<div<>>lorem ipsum</div>',
text = '<div>lorem ipsum</div>',
allowed_tags = '<div>';
assert.equal(striptags(html, allowedTags), html);
});
assert.equal(striptags(html, allowed_tags), text);
});
it('should strip tags when an empty array is provided', function() {
var html = '<article>lorem <a href="#">ipsum</a></article>',
allowedTags = [],
text = 'lorem ipsum';
it('should strip <> within quotes', function() {
let html = '<a href="<script>">lorem ipsum</a>',
text = '<a href="script">lorem ipsum</a>',
allowed_tags = '<a>';
assert.equal(striptags(html, allowedTags), text);
assert.equal(striptags(html, allowed_tags), text);
});
});
it('should not fail with nested quotes', function() {
var html = '<article attr="foo \'bar\'">lorem</article> ipsum',
allowedTags = [],
text = 'lorem ipsum';
describe('with tag_replacement parameter', function() {
it('should replace tags with that parameter', function() {
var html = 'Line One<br>Line Two',
allowed_tags = [],
tag_replacement = '\n',
text = 'Line One\nLine Two';
assert.equal(striptags(html, allowedTags), text);
assert.equal(striptags(html, allowed_tags, tag_replacement), text);
});
});
it('should strip the tag\'s properties and attributes', function() {
var html = '<a href="http://google.com" title="foo" data-id="0">Click here</a>',
allowedTags = [],
text = 'Click here';
describe('#streaming_mode', function() {
it('should strip streamed HTML', function() {
let striptags_stream = striptags.init_streaming_mode();
assert.equal(striptags(html, allowedTags), text);
});
let part_one = striptags_stream('lorem ipsum <stro');
let part_two = striptags_stream('ng>dolor sit <');
let part_three = striptags_stream(' amet');
it('should replace with the tagReplacement parameter', function() {
var html = 'Line One<br>Line Two',
allowedTags = [],
tagReplacement = '\n',
text = 'Line One\nLine Two';
assert.equal(part_one, 'lorem ipsum ');
assert.equal(part_two, 'dolor sit ');
assert.equal(part_three, '< amet');
});
assert.equal(striptags(html, allowedTags, tagReplacement), text);
it('should work with allowable_tags', function() {
let striptags_stream = striptags.init_streaming_mode(['strong']);
let part_one = striptags_stream('lorem ipsum <stro');
let part_two = striptags_stream('ng>dolor sit <');
let part_three = striptags_stream(' amet');
assert.equal(part_one, 'lorem ipsum ');
assert.equal(part_two, '<strong>dolor sit ');
assert.equal(part_three, '< amet');
});
});
});
striptags.js
.npmignore

Sorry, the diff of this file is not supported yet

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc