JavaScript port of htmLawed HTML filter library
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
Vitaliy Filippov 0eaa36b39c Sync with htmLawed 1.2.4.1 3 years ago
.babelrc Fix keep_bad=0 mode 6 years ago
.eslintrc.js Sync with htmLawed 1.2.4.1 3 years ago
README.md Sync with htmLawed 1.2.4.1 3 years ago
htmLawed.js Sync with htmLawed 1.2.4.1 3 years ago
htmLawed.src.js Sync with htmLawed 1.2.4.1 3 years ago
htmLawed_TESTCASE.txt Sync with htmLawed 1.2.4.1 3 years ago
htmLawed_TESTCASE_out.htm Sync with htmLawed 1.2.4.1 3 years ago
package.json Sync with htmLawed 1.2.4.1 3 years ago
rsnake_xss.txt add some tests, rename hl_bal function arg 6 years ago
test.js Fix keep_bad=0 mode 6 years ago

README.md

htmLawed

This is a JS rewrite of a safe HTML sanitizer "htmLawed", http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/

It is safe against almost all possible XSS vectors; see test cases in htmLawed_TESTCASE.txt and rsnake_xss.txt.

Code is awful, but it works :D

Version corresponds to 1.2.4.1

Install

npm install htmlawed

Basic usage

const htmlawed = require('htmlawed');
var safe = htmlawed.sanitize('<html code>', { safe: 1 });

Config options

The same config as in the original PHP version is supported. See documentation here:

http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s2.2

The most interesting options are:

  • safe: sanitize against most XSS
  • elements: space-delimited allowed HTML elements with '+' or '-' in front. for example, * +style means "allow all standard elements and <style> element".
  • keep_bad: what to do with bad tags (6 is the default)
  • 0 = remove them
  • 1 = escape tags and element content (replace < > to &lt; &gt;)
  • 2 = remove tags, escape element content
  • 3, 4 = like 1, 2 but remove if text (#PCDATA) is invalid in parent element
  • 5, 6 = like 3, 4 but leave space characters in place
  • parent: supposed parent element that will be wrapped around content
  • `tidy: -1 = compact/uglify HTML, 0 = no change (default), 1 = tify/beautify HTML
  • abs_url: -1 = make relative, 0 = no change (default), 1 = make absolute
  • base_url: base URL for abs_url to work if not 0

License

LGPL, because it's a rewrite of the original LGPL-licensed library.

Copyright (c) 2016+ Vitaliy Filippov (vitalif ~ mail.ru)