2.5.1 • Published 5 years ago

ting v2.5.1

Weekly downloads
6
License
MIT
Repository
github
Last release
5 years ago

ting

MEAN Module Build Status npm version Node.js Version

Opinionated HTML Sanitizer for Node.js. Built upon sanitize-html.

  • Keep up with the latest standards (new tags are allowed, e.g. <aside>, <progress>, <time>...).
  • <iframe> is not allowed.
  • style attribute is not allowed.
  • id attribute is not allowed unless idFilter returns true (see Options).
  • Inline SVG is not allowed (use <img> with an external SVG source).
  • Customizable via sanitize-html options.
  • TypeScript friendly.

Installation

yarn add ting

Usage

const ting = require('ting');

ting.sanitize(
  html,             // the HTML string which need to be sanitized
  options,          // [Optional] ting options
  overrideOptions,  // [Optional] a function to override the internal sanitize-html options
);

Example:

const ting = require('ting');

const dirty = `
<script>alert(1)</script>
<img src="x.jpg" onclick="alert(1)"/>
<img src="cool.jpg"/>
<figcaption>caption</figcaption>
`;

const safe = ting.sanitize(dirty);
console.log(safe);
/** Prints
  <img src="x.jpg" />
  <img src="cool.jpg" />
  <figcaption>caption</figcaption>
 */

Options

{
  // `id` attribute is not allowed unless `idFilter` returns true
  idFilter: (id: string) => boolean;
}
  • Example: allow all ids starting with "user-content-":
ting.sanitize(`
<a id="id-attack">bad</a>
<a id="user-content-link">fine</a>
<a>no id</a>`, {
    idFilter: (id) => {
      return id.startsWith('user-content-');
    },
  });
/** Prints
  <a id="user-content-link">fine</a>
  <a>no id</a>
 */

Overriding sanitize-html Options

ting is built upon sanitize-html, you can override the internal sanitize-html options, or pass a new one (which would make ting no different than sanitize-html). e.g. to allow <iframe> tags, override the allowedTags and allowedAttributes of sanitize-html options.

ting.sanitize('<iframe src="https://coldfunction.com"></iframe>', 
  undefined,    // no options for ting
  (opts) => {   // override sanitize-html options
    opts.allowedTags.push('iframe');
    opts.allowedAttributes.iframe = ['src'];
    return opts;
  });
// Prints: <iframe src="https://coldfunction.com"></iframe>
2.5.1

5 years ago

2.5.0

5 years ago

2.4.4

5 years ago

2.4.3

6 years ago

2.4.2

6 years ago

2.4.1

6 years ago

2.4.0

6 years ago

2.3.0

6 years ago

2.2.0

7 years ago

2.1.0

7 years ago

2.0.0

7 years ago

1.1.0

7 years ago

1.0.1

7 years ago

0.0.3

9 years ago

0.0.2

9 years ago

0.0.1

9 years ago