Security News
JavaScript Leaders Demand Oracle Release the JavaScript Trademark
In an open letter, JavaScript community leaders urge Oracle to give up the JavaScript trademark, arguing that it has been effectively abandoned through nonuse.
The 'striptags' npm package is a utility for stripping HTML and XML tags from a string. It is useful for sanitizing user input, cleaning up text for display, and ensuring that text content is free from potentially harmful or unwanted HTML tags.
Basic HTML Tag Removal
This feature allows you to remove all HTML tags from a string, leaving only the text content.
const striptags = require('striptags');
const text = striptags('<p>Hello <strong>world</strong>!</p>');
console.log(text); // Output: 'Hello world!'
Allow Specific Tags
This feature allows you to specify which HTML tags should be allowed to remain in the string while stripping all others.
const striptags = require('striptags');
const text = striptags('<p>Hello <strong>world</strong>!</p>', ['strong']);
console.log(text); // Output: 'Hello <strong>world</strong>!'
Strip Tags with Whitelist
This feature allows you to strip tags while using a whitelist of allowed tags, providing more control over the sanitization process.
const striptags = require('striptags');
const text = striptags('<p>Hello <strong>world</strong>!</p>', [], '<>');
console.log(text); // Output: 'Hello world!'
The 'sanitize-html' package provides a more comprehensive solution for sanitizing HTML content. It allows for more granular control over which tags and attributes are allowed, and can also handle nested tags and complex HTML structures. Compared to 'striptags', 'sanitize-html' offers more advanced sanitization options but may be more complex to configure.
The 'xss' package is designed to filter out potential XSS (Cross-Site Scripting) attacks by sanitizing HTML content. It provides a high level of security by default and allows for customization of allowed tags and attributes. 'xss' is more focused on security compared to 'striptags', making it a better choice for applications where preventing XSS is a primary concern.
The 'html-entities' package is used to encode and decode HTML entities. While it does not strip tags, it can be used in conjunction with other packages to ensure that HTML entities are properly handled. It is more focused on encoding and decoding rather than sanitization, making it a complementary tool rather than a direct alternative to 'striptags'.
An implementation of PHP's strip_tags in Node.js.
npm install striptags
striptags(html, allowed_tags, tag_replacement);
var striptags = require('striptags');
var html =
'<a href="https://example.com">' +
'lorem ipsum <strong>dolor</strong> <em>sit</em> amet' +
'</a>';
striptags(html);
striptags(html, '<strong>');
striptags(html, ['a']);
striptags(html, [], '\n');
Outputs:
'lorem ipsum dolor sit amet'
lorem ipsum <strong>dolor</strong> sit amet'
'<a href="https://example.com">lorem ipsum dolor sit amet</a>'
lorem ipsum
dolor
sit amet
striptags
can also operate in streaming mode. Simply call init_streaming_mode
to get back a function that accepts HTML and outputs stripped HTML. State is saved between calls so that partial HTML can be safely passed in.
let stream_function = striptags.init_streaming_mode(
allowed_tags,
tag_replacement
);
let partial_text = stream_function(partial_html);
let more_text = stream_function(more_html);
Check out test/striptags-test.js for a concrete example.
You can run tests (powered by mocha) locally via:
npm test
Generate test coverage (powered by istanbul) via :
npm run coverage
striptags
does not use any regular expressions for stripping HTML tags.
Regular expressions are not capable of preventing all possible scripting attacks (see this). Here is a great StackOverflow answer regarding how strip_tags (when used without specifying allowableTags) is not vulnerable to scripting attacks.
FAQs
PHP strip_tags in Node.js
The npm package striptags receives a total of 437,292 weekly downloads. As such, striptags popularity was classified as popular.
We found that striptags demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
In an open letter, JavaScript community leaders urge Oracle to give up the JavaScript trademark, arguing that it has been effectively abandoned through nonuse.
Security News
The initial version of the Socket Python SDK is now on PyPI, enabling developers to more easily interact with the Socket REST API in Python projects.
Security News
Floating dependency ranges in npm can introduce instability and security risks into your project by allowing unverified or incompatible versions to be installed automatically, leading to unpredictable behavior and potential conflicts.