Vitaliy Filippov
0eaa36b39c
|
||
|---|---|---|
| .babelrc | ||
| .eslintrc.js | ||
| README.md | ||
| htmLawed.js | ||
| htmLawed.src.js | ||
| htmLawed_TESTCASE.txt | ||
| htmLawed_TESTCASE_out.htm | ||
| package.json | ||
| rsnake_xss.txt | ||
| test.js | ||
README.md
htmLawed
This is a JS rewrite of a safe HTML sanitizer "htmLawed", http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/
It is safe against almost all possible XSS vectors; see test cases in htmLawed_TESTCASE.txt and rsnake_xss.txt.
Code is awful, but it works :D
Version corresponds to 1.2.4.1
Install
npm install htmlawed
Basic usage
const htmlawed = require('htmlawed');
var safe = htmlawed.sanitize('<html code>', { safe: 1 });
Config options
The same config as in the original PHP version is supported. See documentation here:
http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s2.2
The most interesting options are:
safe: sanitize against most XSSelements: space-delimited allowed HTML elements with '+' or '-' in front. for example,* +stylemeans "allow all standard elements and <style> element".keep_bad: what to do with bad tags (6 is the default)- 0 = remove them
- 1 = escape tags and element content (replace < > to < >)
- 2 = remove tags, escape element content
- 3, 4 = like 1, 2 but remove if text (#PCDATA) is invalid in parent element
- 5, 6 = like 3, 4 but leave space characters in place
parent: supposed parent element that will be wrapped around content- `tidy: -1 = compact/uglify HTML, 0 = no change (default), 1 = tify/beautify HTML
abs_url: -1 = make relative, 0 = no change (default), 1 = make absolutebase_url: base URL forabs_urlto work if not 0
License
LGPL, because it's a rewrite of the original LGPL-licensed library.
Copyright (c) 2016+ Vitaliy Filippov (vitalif ~ mail.ru)