| 1 | # rehype-sanitize
|
| 2 |
|
| 3 | [![Build][build-badge]][build]
|
| 4 | [![Coverage][coverage-badge]][coverage]
|
| 5 | [![Downloads][downloads-badge]][downloads]
|
| 6 | [![Chat][chat-badge]][chat]
|
| 7 |
|
| 8 | Sanitise HTML with [**rehype**][rehype].
|
| 9 |
|
| 10 | ## Installation
|
| 11 |
|
| 12 | [npm][]:
|
| 13 |
|
| 14 | ```bash
|
| 15 | npm install rehype-sanitize
|
| 16 | ```
|
| 17 |
|
| 18 | ## Usage
|
| 19 |
|
| 20 | Say we have the following file, `index.html`:
|
| 21 |
|
| 22 | ```html
|
| 23 | <div onmouseover="alert('alpha')">
|
| 24 | <a href="jAva script:alert('bravo')">delta</a>
|
| 25 | <img src="x" onerror="alert('charlie')">
|
| 26 | <iframe src="javascript:alert('delta')"></iframe>
|
| 27 | <math>
|
| 28 | <mi xlink:href="data:x,<script>alert('echo')</script>"></mi>
|
| 29 | </math>
|
| 30 | </div>
|
| 31 | <script>
|
| 32 | require('child_process').spawn('rm', ['-r', '-f', process.env.HOME]);
|
| 33 | </script>
|
| 34 | ```
|
| 35 |
|
| 36 | And our script, `example.js`, looks as follows:
|
| 37 |
|
| 38 | ```javascript
|
| 39 | var fs = require('fs')
|
| 40 | var rehype = require('rehype')
|
| 41 | var merge = require('deepmerge')
|
| 42 | var gh = require('hast-util-sanitize/lib/github')
|
| 43 | var sanitize = require('rehype-sanitize')
|
| 44 |
|
| 45 | var schema = merge(gh, {tagNames: ['math', 'mi']})
|
| 46 |
|
| 47 | rehype()
|
| 48 | .data('settings', {fragment: true})
|
| 49 | .use(sanitize, schema)
|
| 50 | .process(fs.readFileSync('index.html'), function(err, file) {
|
| 51 | if (err) throw err
|
| 52 | console.log(String(file))
|
| 53 | })
|
| 54 | ```
|
| 55 |
|
| 56 | Now, running `node example` yields:
|
| 57 |
|
| 58 | ```html
|
| 59 | <div>
|
| 60 | <a>delta</a>
|
| 61 | <img src="x">
|
| 62 |
|
| 63 | <math>
|
| 64 | <mi></mi>
|
| 65 | </math>
|
| 66 | </div>
|
| 67 | ```
|
| 68 |
|
| 69 | ## API
|
| 70 |
|
| 71 | ### `rehype().use(sanitize[, schema])`
|
| 72 |
|
| 73 | Remove potentially dangerous things from HTML.
|
| 74 |
|
| 75 | ###### `schema`
|
| 76 |
|
| 77 | The sanitation schema defines how and if nodes and properties should
|
| 78 | be cleaned. The schema is documented in [`hast-util-sanitize`][schema].
|
| 79 |
|
| 80 | ## Related
|
| 81 |
|
| 82 | * [`hast-util-sanitize`](https://github.com/syntax-tree/hast-util-sanitize)
|
| 83 | — Core utility that does the sanitation
|
| 84 |
|
| 85 | ## Contribute
|
| 86 |
|
| 87 | See [`contributing.md` in `rehypejs/rehype`][contribute] for ways to get
|
| 88 | started.
|
| 89 |
|
| 90 | This organisation has a [Code of Conduct][coc]. By interacting with this
|
| 91 | repository, organisation, or community you agree to abide by its terms.
|
| 92 |
|
| 93 | ## License
|
| 94 |
|
| 95 | [MIT][license] © [Titus Wormer][author]
|
| 96 |
|
| 97 |
|
| 98 |
|
| 99 | [build-badge]: https://img.shields.io/travis/rehypejs/rehype-sanitize.svg
|
| 100 |
|
| 101 | [build]: https://travis-ci.org/rehypejs/rehype-sanitize
|
| 102 |
|
| 103 | [coverage-badge]: https://img.shields.io/codecov/c/github/rehypejs/rehype-sanitize.svg
|
| 104 |
|
| 105 | [coverage]: https://codecov.io/github/rehypejs/rehype-sanitize
|
| 106 |
|
| 107 | [downloads-badge]: https://img.shields.io/npm/dm/rehype-sanitize.svg
|
| 108 |
|
| 109 | [downloads]: https://www.npmjs.com/package/rehype-sanitize
|
| 110 |
|
| 111 | [chat-badge]: https://img.shields.io/badge/join%20the%20community-on%20spectrum-7b16ff.svg
|
| 112 |
|
| 113 | [chat]: https://spectrum.chat/unified/rehype
|
| 114 |
|
| 115 | [npm]: https://docs.npmjs.com/cli/install
|
| 116 |
|
| 117 | [license]: license
|
| 118 |
|
| 119 | [author]: https://wooorm.com
|
| 120 |
|
| 121 | [rehype]: https://github.com/rehypejs/rehype
|
| 122 |
|
| 123 | [schema]: https://github.com/syntax-tree/hast-util-sanitize#schema
|
| 124 |
|
| 125 | [contribute]: https://github.com/rehypejs/rehype/blob/master/contributing.md
|
| 126 |
|
| 127 | [coc]: https://github.com/rehypejs/rehype/blob/master/code-of-conduct.md
|