1 | # rehype-sanitize [![Build Status][travis-badge]][travis] [![Coverage Status][codecov-badge]][codecov]
|
2 |
|
3 | Sanitise HTML with [**rehype**][rehype].
|
4 |
|
5 | ## Installation
|
6 |
|
7 | [npm][]:
|
8 |
|
9 | ```bash
|
10 | npm install rehype-sanitize
|
11 | ```
|
12 |
|
13 | ## Usage
|
14 |
|
15 | Say we have the following file, `index.html`:
|
16 |
|
17 | ```html
|
18 | <div onmouseover="alert('alpha')">
|
19 | <a href="jAva script:alert('bravo')">delta</a>
|
20 | <img src="x" onerror="alert('charlie')">
|
21 | <iframe src="javascript:alert('delta')"></iframe>
|
22 | <math>
|
23 | <mi xlink:href="data:x,<script>alert('echo')</script>"></mi>
|
24 | </math>
|
25 | </div>
|
26 | <script>
|
27 | require('child_process').spawn('rm', ['-r', '-f', process.env.HOME]);
|
28 | </script>
|
29 | ```
|
30 |
|
31 | And our script, `example.js`, looks as follows:
|
32 |
|
33 | ```javascript
|
34 | var fs = require('fs');
|
35 | var rehype = require('rehype');
|
36 | var merge = require('deepmerge');
|
37 | var gh = require('hast-util-sanitize/lib/github');
|
38 | var sanitize = require('rehype-sanitize');
|
39 |
|
40 | var schema = merge(gh, {tagNames: ['math', 'mi']});
|
41 |
|
42 | rehype()
|
43 | .data('settings', {fragment: true})
|
44 | .use(sanitize, schema)
|
45 | .process(fs.readFileSync('index.html'), function (err, file) {
|
46 | if (err) throw err;
|
47 | console.log(String(file));
|
48 | });
|
49 | ```
|
50 |
|
51 | Now, running `node example` yields:
|
52 |
|
53 | ```html
|
54 | <div>
|
55 | <a>delta</a>
|
56 | <img src="x">
|
57 |
|
58 | <math>
|
59 | <mi></mi>
|
60 | </math>
|
61 | </div>
|
62 | ```
|
63 |
|
64 | ## API
|
65 |
|
66 | ### `rehype().use(sanitize[, schema])`
|
67 |
|
68 | Remove potentially dangerous things from HTML.
|
69 |
|
70 | ###### `schema`
|
71 |
|
72 | The sanitation schema defines how and if nodes and properties should
|
73 | be cleaned. The schema is documented in [`hast-util-sanitize`][schema].
|
74 |
|
75 | ## Related
|
76 |
|
77 | * [`hast-util-sanitize`](https://github.com/wooorm/hast-util-sanitize)
|
78 | — Core utility that does the sanitation
|
79 |
|
80 | ## License
|
81 |
|
82 | [MIT][license] © [Titus Wormer][author]
|
83 |
|
84 |
|
85 |
|
86 | [travis-badge]: https://img.shields.io/travis/wooorm/rehype-sanitize.svg
|
87 |
|
88 | [travis]: https://travis-ci.org/wooorm/rehype-sanitize
|
89 |
|
90 | [codecov-badge]: https://img.shields.io/codecov/c/github/wooorm/rehype-sanitize.svg
|
91 |
|
92 | [codecov]: https://codecov.io/github/wooorm/rehype-sanitize
|
93 |
|
94 | [npm]: https://docs.npmjs.com/cli/install
|
95 |
|
96 | [license]: LICENSE
|
97 |
|
98 | [author]: http://wooorm.com
|
99 |
|
100 | [rehype]: https://github.com/wooorm/rehype
|
101 |
|
102 | [schema]: https://github.com/wooorm/hast-util-sanitize#schema
|