2.5.1 • Published 6 years ago
ting v2.5.1
ting
Opinionated HTML Sanitizer for Node.js. Built upon sanitize-html.
- Keep up with the latest standards (new tags are allowed, e.g.
<aside>,<progress>,<time>...). <iframe>is not allowed.styleattribute is not allowed.idattribute is not allowed unlessidFilterreturns true (see Options).- Inline SVG is not allowed (use
<img>with an external SVG source). - Customizable via sanitize-html options.
- TypeScript friendly.
Installation
yarn add tingUsage
const ting = require('ting');
ting.sanitize(
html, // the HTML string which need to be sanitized
options, // [Optional] ting options
overrideOptions, // [Optional] a function to override the internal sanitize-html options
);Example:
const ting = require('ting');
const dirty = `
<script>alert(1)</script>
<img src="x.jpg" onclick="alert(1)"/>
<img src="cool.jpg"/>
<figcaption>caption</figcaption>
`;
const safe = ting.sanitize(dirty);
console.log(safe);
/** Prints
<img src="x.jpg" />
<img src="cool.jpg" />
<figcaption>caption</figcaption>
*/Options
{
// `id` attribute is not allowed unless `idFilter` returns true
idFilter: (id: string) => boolean;
}- Example: allow all
ids starting with"user-content-":
ting.sanitize(`
<a id="id-attack">bad</a>
<a id="user-content-link">fine</a>
<a>no id</a>`, {
idFilter: (id) => {
return id.startsWith('user-content-');
},
});
/** Prints
<a id="user-content-link">fine</a>
<a>no id</a>
*/Overriding sanitize-html Options
ting is built upon sanitize-html, you can override the internal sanitize-html options, or pass a new one (which would make ting no different than sanitize-html). e.g. to allow <iframe> tags, override the allowedTags and allowedAttributes of sanitize-html options.
ting.sanitize('<iframe src="https://coldfunction.com"></iframe>',
undefined, // no options for ting
(opts) => { // override sanitize-html options
opts.allowedTags.push('iframe');
opts.allowedAttributes.iframe = ['src'];
return opts;
});
// Prints: <iframe src="https://coldfunction.com"></iframe>