Learn about our RFC process, Open RFC meetings & more.Join in the discussion! »

rehype-sanitize

2.0.0 • Public • Published

rehype-sanitize Build Status Coverage Status

Sanitise HTML with rehype.

Installation

npm:

npm install rehype-sanitize

Usage

Say we have the following file, index.html:

<div onmouseover="alert('alpha')">
  <a href="jAva script:alert('bravo')">delta</a>
  <img src="x" onerror="alert('charlie')">
  <iframe src="javascript:alert('delta')"></iframe>
  <math>
    <mi xlink:href="data:x,<script>alert('echo')</script>"></mi>
  </math>
</div>
<script>
require('child_process').spawn('rm', ['-r', '-f', process.env.HOME]);
</script> 

And our script, example.js, looks as follows:

var vfile = require('to-vfile');
var rehype = require('rehype');
var merge = require('deepmerge');
var gh = require('hast-util-sanitize/lib/github');
var sanitize = require('rehype-sanitize');
 
var doc = vfile.readSync('index.html');
 
var schema = merge(gh, {tagNames: ['math', 'mi']});
 
rehype()
  .data('settings', {fragment: true})
  .use(sanitize, schema)
  .process(doc, function (err, file) {
    if (err) throw err;
    console.log(String(file));
  });

Now, running node example yields:

<div>
  <a>delta</a>
  <img src="x">
 
  <math>
    <mi></mi>
  </math>
</div>

API

rehype().use(sanitize[, schema])

Remove potentially dangerous things from HTML.

schema

The sanitation schema defines how and if nodes and properties should be cleaned. The schema is documented in hast-util-sanitize.

License

MIT © Titus Wormer