Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

ultrahtml

Package Overview
Dependencies
Maintainers
1
Versions
34
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

ultrahtml

A 1.75kB library for enhancing `html`. `ultrahtml` has zero dependencies and is compatible with any JavaScript runtime.

  • 1.0.0-next.4
  • next
  • Source
  • npm
  • Socket score

Version published
Weekly downloads
678K
increased by10.29%
Maintainers
1
Weekly downloads
 
Created
Source

ultrahtml

A 1.75kB library for enhancing html. ultrahtml has zero dependencies and is compatible with any JavaScript runtime.

Features

  • Tiny, fault-tolerant and friendly HTML-like parser. Works with HTML, Astro, Vue, Svelte, and any other HTML-like syntax.
  • Built-in AST walk utility
  • Built-in transform utility for easy output manipulation
  • Automatic but configurable sanitization, see Sanitization
  • Handy html template utility
  • querySelector and querySelectorAll support using ultrahtml/selector
walk

The walk function provides full control over the AST. It can be used to scan for text, elements, components, or any other validation you might want to do.

Note > walk is async and must be awaited. Use walkSync if it is guaranteed there are no async components in the tree.

import { parse, walk, ELEMENT_NODE } from "ultrahtml";

const ast = parse(`<h1>Hello world!</h1>`);
await walk(ast, async (node) => {
  if (node.type === ELEMENT_NODE && node.name === "script") {
    throw new Error("Found a script!");
  }
});
walkSync

The walkSync function is identical to the walk function, but is synchronous. This should only be used when it is guaranteed there are no async components in the tree.

import { parse, walkSync, ELEMENT_NODE } from "ultrahtml";

const ast = parse(`<h1>Hello world!</h1>`);
walkSync(ast, (node) => {
  if (node.type === ELEMENT_NODE && node.name === "script") {
    throw new Error("Found a script!");
  }
});
render

The render function allows you to serialize an AST back into a string.

Note By default, render will sanitize your markup, removing any script tags. Pass { sanitize: false } to disable this behavior.

import { parse, render } from "ultrahtml";

const ast = parse(`<h1>Hello world!</h1>`);
const output = await render(ast);
transform

The transform function provides a straight-forward way to swap in-place elements (or Components) and update them with a new value. It is a shortcut that combines parse and render.

Note By default, transform will sanitize your markup, removing any script tags. Pass { sanitize: false } to disable this behavior.

import { transform, html } from "ultrahtml";

const output = await transform(`<h1>Hello world!</h1>`, {
  components: {
    h1: (props, children) => html`<h1 class="ultra">${children}</h1>`,
  },
});

console.log(output); // <h1 class="ultra">Hello world!</h1>
Sanitization

ultrahtml implements an extension of the HTML Sanitizer API. This is enabled by default, but can be turned off by passing { sanitize: false } to render and transform.

OptionTypeDefaultDescription
allowElementsstring[]undefinedAn array of strings indicating elements that the sanitizer should not remove. All elements not in the array will be dropped.
blockElementsstring[]undefinedAn array of strings indicating elements that the sanitizer should remove, but keep their child elements.
dropElementsstring[]["script"]An array of strings indicating elements (including nested elements) that the sanitizer should remove.
allowAttributesRecord<string, string[]>undefinedAn object where each key is the attribute name and the value is an Array of allowed tag names. Matching attributes will not be removed. All attributes that are not in the array will be dropped.
dropAttributesRecord<string, string[]>undefinedAn object where each key is the attribute name and the value is an Array of dropped tag names. Matching attributes will be removed.
allowComponentsbooleanfalseA boolean value set to false (default) to remove components and their children. If set to true, components will be subject to built-in and custom configuration checks (and will be retained or dropped based on those checks).
allowCustomElementsbooleanfalseA boolean value set to false (default) to remove custom elements and their children. If set to true, custom elements will be subject to built-in and custom configuration checks (and will be retained or dropped based on those checks).
allowCommentsbooleanfalseA boolean value set to false (default) to remove HTML comments. Set to true in order to keep comments.

Acknowledgements

Keywords

FAQs

Package last updated on 22 Oct 2022

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc