Sanitize a string for use as a filename


Sanitize a string to be safe for use as a filename by removing directory paths and invalid characters.

var sanitize = require("sanitize-filename");
// Some string that may be unsafe or invalid as a filename 
var UNSAFE_USER_INPUT = "~/.\u0000ssh/authorized_keys";
// Sanitize the string to be safe for use as a filename. 
var filename = sanitize(UNSAFE_USER_INPUT);
// -> "~.sshauthorized_keys" 

sanitize-filename works by searching the input string for the following and removes them.

  • Control characters (0x00-0x1f and 0x80-0x9f)
  • Reserved characters (/ ? < > \ : * | ")
  • Unix reserved filenames (. and ..)
  • Windows reserved filenames (CON PRN AUX NUL COM1 COM2 COM3 COM4 COM5 COM6 COM7 COM8 COM9 LPT1 LPT2 LPT3 LPT4 LPT5 LPT6 LPT7 LPT8 and LPT9)

The return value is capped at 255 characters in length.

This guarantees that the resulting string does not contain directory paths (no / or \ characters) and is a valid filename.

The return value will be safe for use as a filename on modern Windows, OSX, and Unix file systems (NTFS, ext, etc.).

FAT 8.3 filenames are not supported.

The test program will attempt to use various strings (including the Big List of Naughty Strings) to create files in the working directory. Run npm test to run tests against your file system.

Note that two unique inputs can result in the same return value. For example:

var sanitize = require("sanitize-filename");
// -> "file" 
sanitize ("file*")
// -> "file" 

Note that the return value can be an empty string. For example:

var sanitize = require("sanitize-filename");
// -> "" 

Sanitize the input string filename by removing or replacing invalid characters. options.replacement can be a string to replace characters with.

npm install sanitize-filename