2016-08-27 14:54:38 +03:00
|
|
|
# htmLawed
|
|
|
|
|
2019-05-14 18:00:55 +03:00
|
|
|
This is a JS rewrite of a safe HTML sanitizer "htmLawed", http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/
|
2016-08-27 14:54:38 +03:00
|
|
|
|
|
|
|
It is safe against almost all possible XSS vectors; see test cases in htmLawed_TESTCASE.txt and rsnake_xss.txt.
|
|
|
|
|
2019-05-14 18:00:55 +03:00
|
|
|
Code is awful, but it works :D
|
|
|
|
|
|
|
|
Version corresponds to 1.2.4.1
|
|
|
|
|
2016-08-27 14:54:38 +03:00
|
|
|
## Install
|
|
|
|
|
|
|
|
`npm install htmlawed`
|
|
|
|
|
|
|
|
## Basic usage
|
|
|
|
|
|
|
|
```js
|
|
|
|
const htmlawed = require('htmlawed');
|
|
|
|
var safe = htmlawed.sanitize('<html code>', { safe: 1 });
|
|
|
|
```
|
|
|
|
|
|
|
|
## Config options
|
|
|
|
|
|
|
|
The same config as in the original PHP version is supported. See documentation here:
|
|
|
|
|
|
|
|
http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s2.2
|
|
|
|
|
|
|
|
The most interesting options are:
|
|
|
|
* `safe`: sanitize against most XSS
|
|
|
|
* `elements`: space-delimited allowed HTML elements with '+' or '-' in front.
|
2016-08-27 14:58:43 +03:00
|
|
|
for example, `* +style` means "allow all standard elements and <style> element".
|
2016-08-27 14:54:38 +03:00
|
|
|
* `keep_bad`: what to do with bad tags (6 is the default)
|
2016-08-27 14:58:43 +03:00
|
|
|
* 0 = remove them
|
|
|
|
* 1 = escape tags and element content (replace < > to &lt; &gt;)
|
|
|
|
* 2 = remove tags, escape element content
|
|
|
|
* 3, 4 = like 1, 2 but remove if text (#PCDATA) is invalid in parent element
|
|
|
|
* 5, 6 = like 3, 4 but leave space characters in place
|
2016-08-27 14:54:38 +03:00
|
|
|
* `parent`: supposed parent element that will be wrapped around content
|
|
|
|
* `tidy: -1 = compact/uglify HTML, 0 = no change (default), 1 = tify/beautify HTML
|
|
|
|
* `abs_url`: -1 = make relative, 0 = no change (default), 1 = make absolute
|
|
|
|
* `base_url`: base URL for `abs_url` to work if not 0
|
|
|
|
|
|
|
|
# License
|
|
|
|
|
|
|
|
LGPL, because it's a rewrite of the original LGPL-licensed library.
|
|
|
|
|
|
|
|
Copyright (c) 2016+ Vitaliy Filippov (vitalif ~ mail.ru)
|