0.1.1 • Published 4 years ago

strip-dom-tags v0.1.1

Weekly downloads
285
License
MIT
Repository
github
Last release
4 years ago

strip-dom-tags

Safely strip all DOM tags from a string to prevent XSS attacks

This module exposes a single functions, that strips a HTML string from tags. It uses the browser DOMParser API (https://caniuse.com/#search=domparser) internally to do the parsing and stripping. It has no dependencies.

You can whitelist different tags and attributes that are allowed, but javascript: attribute values will always be stripped.

This module only works in the browser, it will always return the empty string if invoked server-side.

Usage

stripTags(html : string, whitelistedTags = [] : string[], whitelistedAttributes = [] : string[], visitNode?: (node: Node) : Node) : string
  • html - The string to strip from HTML tags.
  • whitelistedTags - A list of HTML tags that are allowed, like a and img. This is case-insensitive. The default is no tags are allowed.
  • whitelistedAttributes - A list of HTML attributes that are allwed, like href and src. The passed attributes will be allowed on any tag that is whitelisted. So it is possible for a a tag to get a src attribute. Note that attribute values starting with javascript: or containing \n will always be stripped.
  • visitNode - A function that will be invoked on every resulting DOM node after it has been stripped. You can use this to remove invalid attribute, or add target attribute to a tags for example. You can also return a different node (maybe replace img with picture).

Return value

The function returns a HTML string, that is stripped of all the listed tags.

Examples

@infinitebrahmanuniverse/nolb-strip@everything-registry/sub-chunk-2837
0.1.1

4 years ago

0.1.0

4 years ago