strip-js
NPM Module which strips out all JavaScript code from some HTML text
This module performs the following tasks:
- Sanitizes HTML
- Removes script tags
- Removes attributes such as "onclick", "onerror", etc. which contain JavaScript code
- Removes "href" attributes which contain JavaScript code
- Removes "action" attributes from form tags
An example use case of this module is to sanitize HTML emails before displaying them in a browser to prevent cross-site scripting attacks.
Installation
npm install strip-js
This module can also be used from the command line. Install it globally using the following command:
sudo npm install -g strip-js
Usage
The following input HTML ...
Dangerous Link Safe Link This is some text in a p tag, but the p tag is not closed!
... is converted to the following:
Dangerous Link Safe Link This is some text in a p tag, but the p tag is not closed!
Using this module is easy!
var stripJs = ;var fs = ;var html = fs;var safeHtml = ; // It returns plain HTML text
If you need to preserve doctypes, use var safeHtml = stripJs(html, { preserveDoctypes: true });
. preserveDoctypes
defaults to false.
For command line usage, install it globally. It reads the input HTML from its stdin and outputs the result to stdout.
strip-js < input.html
Warnings
Some old browsers have XSS vulnerabilities in CSS, as mentioned in the browser security handbook:
The risk of JavaScript execution. As a little-known feature, some CSS implementations permit JavaScript code to be embedded in stylesheets. There are at least three ways to achieve this goal: by using the expression(...) directive, which gives the ability to evaluate arbitrary JavaScript statements and use their value as a CSS parameter; by using the url('javascript:...') directive on properties that support it; or by invoking browser-specific features such as the -moz-binding mechanism of Firefox.
This module does not remove any JavaScript from CSS, so it is recommended that you enforce one of the following browsers in your web app:
- Edge
- IE11
- FF3
- Safari
- Chrome
- Android
All these browsers are safe in that they don't allow JavaScript execution in CSS. Please feel free to add more browsers to this list after testing them, and send a pull request.