Skip to content

keepitterron/filthy-clean

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits

src

src

 
 

.editorconfig

.editorconfig

 
 

.gitignore

.gitignore

 
 

.nvmrc

.nvmrc

 
 

README.md

README.md

 
 

package.json

package.json

 
 

yarn.lock

yarn.lock

 
 

Repository files navigation

Filthy

A lightweight, customizable library to sanitize user provided HTML.

The problem

Injecting user provided HTML leaves your app vulnerable to XSS: a malicious user can run arbitrary javascript in your page.

The approach

Instead of running complicated regexps on the html string itself, why not letting the browser handling the parsing instead? document.implementation.createHTMLDocument() allows us to manipulate a DOM element without running any scripts or preloading any resource.

Usage

	const filthy = require('filthy-clean');
	const cleanHtml = filthy(userProvidedHtmlString, options);

Options

  • options.allowedNodes - An array of nodes to keep (eg: ['div', 'br', 'strong'])
  • options.allowedAttrs - An array of attributes to keep (eg: ['alt', 'href', 'src'])

Defaults

  • options.allowedNodes - ['div, 'p', 'a', 'br', 'i', 'em', 'strong', 'b', 'img']
  • options.allowedAttrs - ['href', 'title', 'alt', 'src', 'width', 'height']

About

Filter and sanitize HTML input

Resources

Readme
Activity

Stars

3 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

3 tags

Packages

No packages published

Contributors 2

  •  
  •  

Languages