htmlawed/README.md

# htmLawed

This is a JS rewrite of a safe HTML sanitizer "htmLawed", http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/

It is safe against almost all possible XSS vectors; see test cases in htmLawed_TESTCASE.txt and rsnake_xss.txt.

Code is awful, but it works :D

Version corresponds to 1.2.4.1

## Install

`npm install htmlawed`

## Basic usage

```js
const htmlawed = require('htmlawed');
var safe = htmlawed.sanitize('<html code>', { safe: 1 });
```

## Config options

The same config as in the original PHP version is supported. See documentation here:

http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s2.2

The most interesting options are:
* `safe`: sanitize against most XSS
* `elements`: space-delimited allowed HTML elements with '+' or '-' in front.
  for example, `* +style` means "allow all standard elements and &lt;style&gt; element".
* `keep_bad`: what to do with bad tags (6 is the default)
 * 0 = remove them
 * 1 = escape tags and element content (replace < > to &amp;lt; &amp;gt;)
 * 2 = remove tags, escape element content
 * 3, 4 = like 1, 2 but remove if text (#PCDATA) is invalid in parent element
 * 5, 6 = like 3, 4 but leave space characters in place
* `parent`: supposed parent element that will be wrapped around content
* `tidy: -1 = compact/uglify HTML, 0 = no change (default), 1 = tify/beautify HTML
* `abs_url`: -1 = make relative, 0 = no change (default), 1 = make absolute
* `base_url`: base URL for `abs_url` to work if not 0

# License

LGPL, because it's a rewrite of the original LGPL-licensed library.

Copyright (c) 2016+ Vitaliy Filippov (vitalif ~ mail.ru)
add readme 2016-08-27 14:54:38 +03:00			`# htmLawed`

Sync with htmLawed 1.2.4.1 2019-05-14 18:00:55 +03:00			`This is a JS rewrite of a safe HTML sanitizer "htmLawed", http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/`
add readme 2016-08-27 14:54:38 +03:00
			`It is safe against almost all possible XSS vectors; see test cases in htmLawed_TESTCASE.txt and rsnake_xss.txt.`

Sync with htmLawed 1.2.4.1 2019-05-14 18:00:55 +03:00			`Code is awful, but it works :D`

			`Version corresponds to 1.2.4.1`

add readme 2016-08-27 14:54:38 +03:00			`## Install`

			`npm install htmlawed`

			`## Basic usage`

			```js
			`const htmlawed = require('htmlawed');`
			`var safe = htmlawed.sanitize('<html code>', { safe: 1 });`
			```

			`## Config options`

			`The same config as in the original PHP version is supported. See documentation here:`

			`http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s2.2`

			`The most interesting options are:`
			* `safe`: sanitize against most XSS
			* `elements`: space-delimited allowed HTML elements with '+' or '-' in front.
fix readme 2016-08-27 14:58:43 +03:00			for example, `* +style` means "allow all standard elements and <style> element".
add readme 2016-08-27 14:54:38 +03:00			* `keep_bad`: what to do with bad tags (6 is the default)
fix readme 2016-08-27 14:58:43 +03:00			`* 0 = remove them`
			`* 1 = escape tags and element content (replace < > to &lt; &gt;)`
			`* 2 = remove tags, escape element content`
			`* 3, 4 = like 1, 2 but remove if text (#PCDATA) is invalid in parent element`
			`* 5, 6 = like 3, 4 but leave space characters in place`
add readme 2016-08-27 14:54:38 +03:00			* `parent`: supposed parent element that will be wrapped around content
			* `tidy: -1 = compact/uglify HTML, 0 = no change (default), 1 = tify/beautify HTML
			* `abs_url`: -1 = make relative, 0 = no change (default), 1 = make absolute
			* `base_url`: base URL for `abs_url` to work if not 0

			`# License`

			`LGPL, because it's a rewrite of the original LGPL-licensed library.`

			`Copyright (c) 2016+ Vitaliy Filippov (vitalif ~ mail.ru)`