Notoriously Pedantic Magistrate
    Wondering what’s next for npm?Check out our public roadmap! »

    rehype-sanitize
    TypeScript icon, indicating that this package has built-in type declarations

    2.0.1 • Public • Published

    rehype-sanitize Build Status Coverage Status

    Sanitise HTML with rehype.

    Installation

    npm:

    npm install rehype-sanitize

    Usage

    Say we have the following file, index.html:

    <div onmouseover="alert('alpha')">
      <a href="jAva script:alert('bravo')">delta</a>
      <img src="x" onerror="alert('charlie')">
      <iframe src="javascript:alert('delta')"></iframe>
      <math>
        <mi xlink:href="data:x,<script>alert('echo')</script>"></mi>
      </math>
    </div>
    <script>
    require('child_process').spawn('rm', ['-r', '-f', process.env.HOME]);
    </script> 

    And our script, example.js, looks as follows:

    var fs = require('fs');
    var rehype = require('rehype');
    var merge = require('deepmerge');
    var gh = require('hast-util-sanitize/lib/github');
    var sanitize = require('rehype-sanitize');
     
    var schema = merge(gh, {tagNames: ['math', 'mi']});
     
    rehype()
      .data('settings', {fragment: true})
      .use(sanitize, schema)
      .process(fs.readFileSync('index.html'), function (err, file) {
        if (err) throw err;
        console.log(String(file));
      });

    Now, running node example yields:

    <div>
      <a>delta</a>
      <img src="x">
     
      <math>
        <mi></mi>
      </math>
    </div>

    API

    rehype().use(sanitize[, schema])

    Remove potentially dangerous things from HTML.

    schema

    The sanitation schema defines how and if nodes and properties should be cleaned. The schema is documented in hast-util-sanitize.

    Related

    License

    MIT © Titus Wormer