2.5.1 • Published 5 years ago
ting v2.5.1
ting
Opinionated HTML Sanitizer for Node.js. Built upon sanitize-html.
- Keep up with the latest standards (new tags are allowed, e.g.
<aside>
,<progress>
,<time>
...). <iframe>
is not allowed.style
attribute is not allowed.id
attribute is not allowed unlessidFilter
returns true (see Options).- Inline SVG is not allowed (use
<img>
with an external SVG source). - Customizable via sanitize-html options.
- TypeScript friendly.
Installation
yarn add ting
Usage
const ting = require('ting');
ting.sanitize(
html, // the HTML string which need to be sanitized
options, // [Optional] ting options
overrideOptions, // [Optional] a function to override the internal sanitize-html options
);
Example:
const ting = require('ting');
const dirty = `
<script>alert(1)</script>
<img src="x.jpg" onclick="alert(1)"/>
<img src="cool.jpg"/>
<figcaption>caption</figcaption>
`;
const safe = ting.sanitize(dirty);
console.log(safe);
/** Prints
<img src="x.jpg" />
<img src="cool.jpg" />
<figcaption>caption</figcaption>
*/
Options
{
// `id` attribute is not allowed unless `idFilter` returns true
idFilter: (id: string) => boolean;
}
- Example: allow all
id
s starting with"user-content-"
:
ting.sanitize(`
<a id="id-attack">bad</a>
<a id="user-content-link">fine</a>
<a>no id</a>`, {
idFilter: (id) => {
return id.startsWith('user-content-');
},
});
/** Prints
<a id="user-content-link">fine</a>
<a>no id</a>
*/
Overriding sanitize-html Options
ting is built upon sanitize-html, you can override the internal sanitize-html options, or pass a new one (which would make ting no different than sanitize-html). e.g. to allow <iframe>
tags, override the allowedTags
and allowedAttributes
of sanitize-html options.
ting.sanitize('<iframe src="https://coldfunction.com"></iframe>',
undefined, // no options for ting
(opts) => { // override sanitize-html options
opts.allowedTags.push('iframe');
opts.allowedAttributes.iframe = ['src'];
return opts;
});
// Prints: <iframe src="https://coldfunction.com"></iframe>