striptags
Advanced tools
Comparing version 3.1.1 to 4.0.0-alpha.0
{ | ||
"name": "striptags", | ||
"description": "PHP strip_tags in Node.js", | ||
"license": "MIT", | ||
"author": "Eric Norris (https://github.com/ericnorris)", | ||
"repository": { | ||
"type": "git", | ||
"url": "https://github.com/ericnorris/striptags.git" | ||
}, | ||
"main": "src/striptags.js", | ||
"homepage": "https://github.com/ericnorris/striptags", | ||
"bugs": "https://github.com/ericnorris/striptags/issues", | ||
"version": "3.1.1", | ||
"devDependencies": { | ||
"istanbul": "^0.4.5", | ||
"mocha": "^3.2.0" | ||
}, | ||
"keywords": [ | ||
"striptags", | ||
"strip_tags", | ||
"html", | ||
"strip", | ||
"tags" | ||
], | ||
"typings": "index.d.ts", | ||
"scripts": { | ||
"test": "mocha", | ||
"coverage": "istanbul cover _mocha -- -R spec" | ||
} | ||
"name": "striptags", | ||
"description": "PHP's strip_tags in Javascript", | ||
"license": "MIT", | ||
"author": "Eric Norris (https://github.com/ericnorris)", | ||
"repository": { | ||
"type": "git", | ||
"url": "https://github.com/ericnorris/striptags.git" | ||
}, | ||
"homepage": "https://github.com/ericnorris/striptags", | ||
"bugs": "https://github.com/ericnorris/striptags/issues", | ||
"version": "4.0.0-alpha.0", | ||
"keywords": [ | ||
"striptags", | ||
"strip_tags", | ||
"html", | ||
"strip", | ||
"tags" | ||
], | ||
"main": "dist/cjs/striptags.js", | ||
"module": "dist/es6/striptags.js", | ||
"types": "dist/es6/striptags.d.ts", | ||
"files": [ | ||
"dist/" | ||
], | ||
"devDependencies": { | ||
"@rollup/plugin-typescript": "^6.1.0", | ||
"@types/jest": "^26.0.15", | ||
"@typescript-eslint/eslint-plugin": "^4.8.1", | ||
"@typescript-eslint/parser": "^4.8.1", | ||
"eslint": "^7.14.0", | ||
"eslint-plugin-prettier": "^3.1.4", | ||
"jest": "^26.6.1", | ||
"prettier": "^2.2.0", | ||
"rollup": "^2.33.3", | ||
"ts-jest": "^26.4.3", | ||
"tslib": "^2.0.3", | ||
"typescript": "^4.0.5" | ||
}, | ||
"scripts": { | ||
"test": "jest", | ||
"lint": "eslint .", | ||
"prepublishOnly": "eslint . && rollup -c" | ||
} | ||
} |
103
README.md
@@ -1,16 +0,12 @@ | ||
# striptags [![Build Status](https://travis-ci.org/ericnorris/striptags.svg)](https://travis-ci.org/ericnorris/striptags) | ||
An implementation of PHP's [strip_tags](http://www.php.net/manual/en/function.strip-tags.php) in Node.js. | ||
# striptags (WIP) | ||
**Note:** `v3+` targets ES6, and is therefore incompatible with the master branch of `uglifyjs`. You can either: | ||
- use `babili`, which supports ES6 | ||
- use the `harmony` branch of `uglifyjs` | ||
- stick with the [2.x.x](https://github.com/ericnorris/striptags/tree/v2.x.x) branch | ||
An implementation of PHP's [strip_tags](https://www.php.net/manual/en/function.strip-tags.php) in Typescript. | ||
## Features | ||
- Fast | ||
- Zero dependencies | ||
- 100% test code coverage | ||
- No unsafe regular expressions | ||
## Highlights | ||
- No dependencies | ||
- Prevents XSS by default | ||
## Installing | ||
``` | ||
@@ -21,71 +17,68 @@ npm install striptags | ||
## Basic Usage | ||
```javascript | ||
striptags(html, allowed_tags, tag_replacement); | ||
```typescript | ||
// commonjs format | ||
striptags(text: string, options?: Partial<StateMachineOptions>): string; | ||
``` | ||
### Example | ||
### Examples | ||
```javascript | ||
var striptags = require('striptags'); | ||
// commonjs format | ||
const striptags = require("striptags").striptags; | ||
var html = | ||
'<a href="https://example.com">' + | ||
'lorem ipsum <strong>dolor</strong> <em>sit</em> amet' + | ||
'</a>'; | ||
// alternatively: | ||
// import { striptags } from "striptags"; | ||
striptags(html); | ||
striptags(html, '<strong>'); | ||
striptags(html, ['a']); | ||
striptags(html, [], '\n'); | ||
var html = ` | ||
<a href="https://example.com">lorem ipsum <strong>dolor</strong> <em>sit</em> amet</a> | ||
`.trim(); | ||
console.log(striptags(html)); | ||
console.log(striptags(html, {allowedTags: new Set(["strong"])})); | ||
console.log(striptags(html, {tagReplacementText: "🍩"})); | ||
``` | ||
Outputs: | ||
``` | ||
'lorem ipsum dolor sit amet' | ||
``` | ||
``` | ||
lorem ipsum <strong>dolor</strong> sit amet' | ||
lorem ipsum dolor sit amet | ||
lorem ipsum <strong>dolor</strong> sit amet | ||
🍩lorem ipsum 🍩dolor🍩 🍩sit🍩 amet🍩 | ||
``` | ||
``` | ||
'<a href="https://example.com">lorem ipsum dolor sit amet</a>' | ||
``` | ||
## Advanced Usage | ||
```typescript | ||
class StateMachine { | ||
constructor(partialOptions?: Partial<StateMachineOptions>); | ||
consume(text: string): string; | ||
} | ||
``` | ||
lorem ipsum | ||
dolor | ||
sit amet | ||
``` | ||
The `StateMachine` class is similar to the `striptags` function, but persists state across calls to `consume()` so that you may safely pass in a stream of text. For example: | ||
## Streaming Mode | ||
`striptags` can also operate in streaming mode. Simply call `init_streaming_mode` to get back a function that accepts HTML and outputs stripped HTML. State is saved between calls so that partial HTML can be safely passed in. | ||
```javascript | ||
let stream_function = striptags.init_streaming_mode( | ||
allowed_tags, | ||
tag_replacement | ||
); | ||
const StateMachine = require("striptags").StateMachine; | ||
let partial_text = stream_function(partial_html); | ||
let more_text = stream_function(more_html); | ||
``` | ||
// alternatively: | ||
// import { StateMachine } from "striptags"; | ||
Check out [test/striptags-test.js](test/striptags-test.js) for a concrete example. | ||
const instance = new StateMachine(); | ||
## Tests | ||
You can run tests (powered by [mocha](http://mochajs.org/)) locally via: | ||
console.log( | ||
instance.consume("some text with <a") + instance.consume("tag>and more text") | ||
); | ||
``` | ||
npm test | ||
``` | ||
Generate test coverage (powered by [istanbul](https://github.com/gotwarlost/istanbul)) via : | ||
Outputs: | ||
``` | ||
npm run coverage | ||
some text with and more text | ||
``` | ||
## Options | ||
## Doesn't use regular expressions | ||
`striptags` does not use any regular expressions for stripping HTML tags. | ||
Regular expressions are not capable of preventing all possible scripting attacks (see [this](http://stackoverflow.com/a/535022)). Here is a [great StackOverflow answer](http://stackoverflow.com/a/5793453) regarding how strip_tags (**when used without specifying allowableTags**) is not vulnerable to scripting attacks. | ||
* `allowedTags: Set<string>` a set containing a list of tag names to allow (e.g. `new Set(["tagname"])`), default: `new Set([])`. | ||
* `tagReplacementText: string` a string to use as replacement text when a tag is found and not allowed, default: `""`. | ||
* `encodePlaintextTagDelimiters: boolean` true if `<` and `>` characters immediately followed by whitespace should be HTML encoded, default: `true`. This is safe to set to `false` if the output is expected to be used only as plaintext. |
Sorry, the diff of this file is not supported yet
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
No v1
QualityPackage is not semver >=1. This means it is not stable and does not support ^ ranges.
Found 1 instance in 1 package
Debug access
Supply chain riskUses debug, reflection and dynamic code execution features.
Found 1 instance in 1 package
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
17610
388
0
12
7
1
84
1