loopback-ds-clean-html-field-mixin
This module is designed for the Strongloop Loopback framework. It provides a mixin that makes it possible to clean model properties as html from unsafe attributes, invalid classes or other(i.e. sanitizer). For dom manipulations was used cheerio https://github.com/cheeriojs/cheerio
INSTALL
npm install --save loopback-ds-clean-html-field-mixin
MIXINSOURCES
With loopback-boot@v2.8.0 mixinSources have been implemented in a way which allows for loading this mixin without changes to the server.js
file previously required.
Add the mixins
property to your server/model-config.json
like the following:
{
"_meta": {
"sources": [
"loopback/common/models",
"loopback/server/models",
"../common/models",
"./models"
],
"mixins": [
"loopback/common/mixins",
"../node_modules/loopback-ds-clean-html-field-mixin",
"../common/mixins"
]
}
}
SERVER.JS
In your server/server.js
file add the following line before the
boot(app, __dirname);
line.
...
var app = module.exports = loopback();
...
// Add CleanHtmlField Mixin to loopback
require('loopback-ds-clean-html-field-mixin')(app);
boot(app, __dirname, function(err) {
'use strict';
if (err) throw err;
// start the server if `$ node server.js`
if (require.main === module)
app.start();
});
CONFIG
To use with your Models add the mixins
attribute to the definition object of
your model config.
{
"name": "MyModel",
"properties": {
"name": {
"type": "string"
},
"someField": {
"type": "string"
},
"someJsonField": {
"type": "object"
}
},
"mixins": {
"CleanHtmlField": {
"fields": ["name", "someField", "someJsonField"],
"options": {
"*": {
"removeAttr": ["style"],
"removeClass": ["btn-danger"]
},
"a": {
"replaceAttr": {
"rel": ""
}
}
}
}
}
}
Rules for sanitize have following format:
{
"<selector>":{
"removeAttr": ["<attr1>", "<attr2>", ... "<attrN>"],
"removeClass": ["<class1>", "<class2>", ... "<classN>"],
"replaceAttr": {
"<attr1>": "<newValueOfAttr1>",
"<attr2>": "<newValueOfAttr2>",
"<attrN>": "<newValueOfAttrN>"
}
},
"<selector>": "remove" // here you can remove all elements by selector
}
Example:
"CleanHtmlField":{
"options":{
"a":{
"replaceAttr":{
"target": "_blank",
"rel": "nofollow"
},
"removeAttr": ["style"]
},
"img":{
"removeAttr": ["style", "class"]
},
".btn-danger": "remove"
}
}
MORE OPTIONS
You can mark specific fields not only inside mixins.CleanHtmlField.fields
array but
in properties object through _CleanHtmlField
field.
In this example we mark the name
field for CleanHtmlField mixin, also
mark someField
with custom CleanHtmlField rules.
{
"name": "MyModel",
"properties": {
"name": {
"type": "string",
"_CleanHtmlField": true
},
"someField": {
"type": "string",
"_CleanHtmlField": {
"p": {
"removeAttr": ["align", "style"]
}
}
},
"someJsonField": {
"type": "object"
}
},
"mixins": {
"CleanHtmlField": {
"fields": ["someJsonField"],
"options": {
"*": {
"removeAttr": ["style"],
"removeClass": ["btn-danger"]
},
"a": {
"replaceAttr": {
"rel": ""
}
}
}
}
}
}
TESTING
Run the tests from test
folder
npm test