rehypejs / Rehype Sanitize
Programming Languages
Projects that are alternatives of or similar to Rehype Sanitize
rehype-sanitize
rehype plugin to sanitize HTML.
Install
npm:
npm install rehype-sanitize
Use
Say we have the following file, index.html
:
<div onmouseover="alert('alpha')">
<a href="jAva script:alert('bravo')">delta</a>
<img src="x" onerror="alert('charlie')">
<iframe src="javascript:alert('delta')"></iframe>
<math>
<mi xlink:href="data:x,<script>alert('echo')</script>"></mi>
</math>
</div>
<script>
require('child_process').spawn('rm', ['-r', '-f', process.env.HOME]);
</script>
And our script, example.js
, looks as follows:
var fs = require('fs')
var rehype = require('rehype')
var merge = require('deepmerge')
var gh = require('hast-util-sanitize/lib/github')
var sanitize = require('rehype-sanitize')
var schema = merge(gh, {tagNames: ['math', 'mi']})
rehype()
.data('settings', {fragment: true})
.use(sanitize, schema)
.process(fs.readFileSync('index.html'), function(err, file) {
if (err) throw err
console.log(String(file))
})
Now, running node example
yields:
<div>
<a>delta</a>
<img src="x">
<math>
<mi></mi>
</math>
</div>
API
rehype().use(sanitize[, schema])
Remove potentially dangerous things from HTML, or more correct: keep only the safe things in a document.
schema
The sanitation schema defines how and if nodes and properties should be cleaned.
The schema is documented in hast-util-sanitize
.
Security
Improper use of rehype-sanitize
can open you up to a
cross-site scripting (XSS) attack.
The defaults are safe, but deviating from them is likely unsafe.
Use rehype-sanitize
after all other plugins, as other plugins are likely
also unsafe.
Related
-
hast-util-sanitize
— Core utility that does the sanitation
Contribute
See contributing.md
in rehypejs/.github
for ways
to get started.
See support.md
for ways to get help.
This project has a code of conduct. By interacting with this repository, organization, or community you agree to abide by its terms.