striptags
Advanced tools
Readme
An implementation of PHP's strip_tags in Typescript.
Note: this is a total rewrite from v3, and as such, is currently in an alpha state. Feel free to use this during the alpha period and provide feedback before it is released as v4.
npm install striptags@alpha
striptags(text: string, options?: Partial<StateMachineOptions>): string;
// commonjs
const striptags = require("striptags").striptags;
// alternatively, as an es6 import
// import { striptags } from "striptags";
var html = `
<a href="https://example.com">lorem ipsum <strong>dolor</strong> <em>sit</em> amet</a>
`.trim();
console.log(striptags(html));
console.log(striptags(html, { allowedTags: new Set(["strong"]) }));
console.log(striptags(html, { tagReplacementText: "🍩" }));
Outputs:
lorem ipsum dolor sit amet
lorem ipsum <strong>dolor</strong> sit amet
🍩lorem ipsum 🍩dolor🍩 🍩sit🍩 amet🍩
class StateMachine {
constructor(partialOptions?: Partial<StateMachineOptions>);
consume(text: string): string;
}
The StateMachine class is similar to the striptags function, but persists state across calls to consume() so that you may safely pass in a stream of text. For example:
// commonjs
const StateMachine = require("striptags").StateMachine;
// alternatively, as an es6 import
// import { StateMachine } from "striptags";
const instance = new StateMachine();
console.log(instance.consume("some text with <a") + instance.consume("tag>and more text"));
Outputs:
some text with and more text
striptags is safe to use by default; the output is guaranteed to be free of potential XSS vectors if used as text within a tag. Specifying either allowedTags or disallowedTags in the options argument removes this guarantee, however. For example, a malicious user may achieve XSS via an attribute in an allowed tag: <img onload="alert(1);">.
In addition, striptags will automatically HTML encode < and > characters followed by whitespace. While most browsers tested treat < or > followed by whitespace as a non-tag string, it is safer to escape the characters. You may change this behavior via the encodePlaintextTagDelimiters option described below.
Partial<StateMachineOptions>allowedTags?: Set<string>
A set containing a list of tag names to allow (e.g. new Set(["tagname"])). Tags not in this list will be removed. This option takes precedence over the disallowedTags option.
Default: undefined
disallowedTags?: Set<string>
A set containing a list of tag names to disallow ((e.g. new Set(["tagname"])). Tags not in this list will be allowed. Ignored if allowedTags is set.
Default: undefined
tagReplacementText?: string
A string to use as replacement text when a tag is found and not allowed.
Default: ""
encodePlaintextTagDelimiters?: boolean
Setting this option to true will cause < and > characters immediately followed by whitespace to be HTML encoded. This is safe to set to false if the output is expected to be used only as plaintext (i.e. it will not be displayed alongside other HTML).
Default: true
FAQs
PHP strip_tags in Node.js
We found that striptags demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
CISA launched a new project called Vulnrichment to enrich CVEs with details that help prioritize patching and mitigation efforts, as the NVD backlog of unenriched CVEs awaiting analysis surpasses 10,000.
Security News
Socket is joining forces with CISA and other industry leaders at the RSA Conference to sign the Secure by Design pledge, committing to uphold the highest security standards in our products.
Research
The Socket research team breaks down a sampling of malicious packages that download and execute files, among other suspicious behaviors, targeting the popular Discord platform.