1.0.0 • Published 9 years ago
gulp-xss v1.0.0
spassword
Install
$ npm install --save-dev gulp-xss Usage
var gulp = require('gulp');
var xss = require('./');
gulp.task('default', function () {
return gulp.src('src/app.js')
.pipe(xss())
.pipe(gulp.dest('dist'));
});API
xss(string, options)
Details of parameters in options would be described below.
options
Whitelist
By specifying a whiteList, e.g. { 'tagName': 'attr-1', 'attr-2' }. Tags and attributes not in the whitelist would be filter out. For example:
// only tag a and its attributes href, title, target are allowed
var options = {
whiteList: {
a: ['href', 'title', 'target']
}
};
// With the configuration specified above, the following HTML:
// <a href="#" onclick="hello()"><i>Hello</i></a>
// would become:
// <a href="#">Hello</a>Customize the handler function for matched tags
By specifying the handler function with onTag
function onTag (tag, html, options) {
// tag is the name of current tag, e.g. 'a' for tag <a>
// html is the HTML of this tag, e.g. '<a>' for tag <a>
// options is some addition informations:
// isWhite boolean, whether the tag is in whitelist
// isClosing boolean, whether the tag is a closing tag, e.g. true for </a>
// position integer, the position of the tag in output result
// sourcePosition integer, the position of the tag in input HTML source
// If a string is returned, the current tag would be replaced with the string
// If return nothing, the default measure would be taken:
// If in whitelist: filter attributes using onTagAttr, as described below
// If not in whitelist: handle by onIgnoreTag, as described below
}Customize the handler function for attributes of matched tags
By specifying the handler function with onTagAttr:
function onTagAttr (tag, name, value, isWhiteAttr) {
// tag is the name of current tag, e.g. 'a' for tag <a>
// name is the name of current attribute, e.g. 'href' for href="#"
// isWhiteAttr whether the tag is in whitelist
// If a string is returned, the attribute would be replaced with the string
// If return nothing, the default measure would be taken:
// If in whitelist: filter the value using safeAttrValue as described below
// If not in whitelist: handle by onIgnoreTagAttr, as described below
}Customize the handler function for tags not in the whitelist
By specifying the handler function with onIgnoreTag:
function onIgnoreTag (tag, html, options) {
// Parameters are the same with onTag
// If a string is returned, the tag would be replaced with the string
// If return nothing, the default measure would be taken (specifies using
// escape, as described below)
}Customize the handler function for attributes not in the whitelist
By specifying the handler function with onIgnoreTagAttr:
function onIgnoreTagAttr (tag, name, value, isWhiteAttr) {
// Parameters are the same with onTagAttr
// If a string is returned, the value would be replaced with this string
// If return nothing, then keep default (remove the attribute)
}Customize escaping function for HTML
By specifying the handler function with escapeHtml. Following is the default function (Modification is not recommended):
function escapeHtml (html) {
return html.replace(/</g, '<').replace(/>/g, '>');
}Customize escaping function for value of attributes
By specifying the handler function with safeAttrValue:
function safeAttrValue (tag, name, value) {
// Parameters are the same with onTagAttr (without options)
// Return the value as a string
}1.0.0
9 years ago