1 | # rehype-sanitize
|
2 |
|
3 | [![Build][build-badge]][build]
|
4 | [![Coverage][coverage-badge]][coverage]
|
5 | [![Downloads][downloads-badge]][downloads]
|
6 | [![Size][size-badge]][size]
|
7 | [![Sponsors][sponsors-badge]][collective]
|
8 | [![Backers][backers-badge]][collective]
|
9 | [![Chat][chat-badge]][chat]
|
10 |
|
11 | [**rehype**][rehype] plugin to sanitise HTML.
|
12 |
|
13 | ## Install
|
14 |
|
15 | [npm][]:
|
16 |
|
17 | ```sh
|
18 | npm install rehype-sanitize
|
19 | ```
|
20 |
|
21 | ## Use
|
22 |
|
23 | Say we have the following file, `index.html`:
|
24 |
|
25 | ```html
|
26 | <div onmouseover="alert('alpha')">
|
27 | <a href="jAva script:alert('bravo')">delta</a>
|
28 | <img src="x" onerror="alert('charlie')">
|
29 | <iframe src="javascript:alert('delta')"></iframe>
|
30 | <math>
|
31 | <mi xlink:href="data:x,<script>alert('echo')</script>"></mi>
|
32 | </math>
|
33 | </div>
|
34 | <script>
|
35 | require('child_process').spawn('rm', ['-r', '-f', process.env.HOME]);
|
36 | </script>
|
37 | ```
|
38 |
|
39 | And our script, `example.js`, looks as follows:
|
40 |
|
41 | ```js
|
42 | var fs = require('fs')
|
43 | var rehype = require('rehype')
|
44 | var merge = require('deepmerge')
|
45 | var gh = require('hast-util-sanitize/lib/github')
|
46 | var sanitize = require('rehype-sanitize')
|
47 |
|
48 | var schema = merge(gh, {tagNames: ['math', 'mi']})
|
49 |
|
50 | rehype()
|
51 | .data('settings', {fragment: true})
|
52 | .use(sanitize, schema)
|
53 | .process(fs.readFileSync('index.html'), function(err, file) {
|
54 | if (err) throw err
|
55 | console.log(String(file))
|
56 | })
|
57 | ```
|
58 |
|
59 | Now, running `node example` yields:
|
60 |
|
61 | ```html
|
62 | <div>
|
63 | <a>delta</a>
|
64 | <img src="x">
|
65 |
|
66 | <math>
|
67 | <mi></mi>
|
68 | </math>
|
69 | </div>
|
70 | ```
|
71 |
|
72 | ## API
|
73 |
|
74 | ### `rehype().use(sanitize[, schema])`
|
75 |
|
76 | Remove potentially dangerous things from HTML, or more correct: keep only safe
|
77 | the things in a document.
|
78 |
|
79 | ###### `schema`
|
80 |
|
81 | The sanitation schema defines how and if nodes and properties should be cleaned.
|
82 | The schema is documented in [`hast-util-sanitize`][schema].
|
83 |
|
84 | ## Related
|
85 |
|
86 | * [`hast-util-sanitize`](https://github.com/syntax-tree/hast-util-sanitize)
|
87 | — Core utility that does the sanitation
|
88 |
|
89 | ## Contribute
|
90 |
|
91 | See [`contributing.md`][contributing] in [`rehypejs/.github`][health] for ways
|
92 | to get started.
|
93 | See [`support.md`][support] for ways to get help.
|
94 |
|
95 | This project has a [Code of Conduct][coc].
|
96 | By interacting with this repository, organisation, or community you agree to
|
97 | abide by its terms.
|
98 |
|
99 | ## License
|
100 |
|
101 | [MIT][license] © [Titus Wormer][author]
|
102 |
|
103 |
|
104 |
|
105 | [build-badge]: https://img.shields.io/travis/rehypejs/rehype-sanitize.svg
|
106 |
|
107 | [build]: https://travis-ci.org/rehypejs/rehype-sanitize
|
108 |
|
109 | [coverage-badge]: https://img.shields.io/codecov/c/github/rehypejs/rehype-sanitize.svg
|
110 |
|
111 | [coverage]: https://codecov.io/github/rehypejs/rehype-sanitize
|
112 |
|
113 | [downloads-badge]: https://img.shields.io/npm/dm/rehype-sanitize.svg
|
114 |
|
115 | [downloads]: https://www.npmjs.com/package/rehype-sanitize
|
116 |
|
117 | [size-badge]: https://img.shields.io/bundlephobia/minzip/rehype-sanitize.svg
|
118 |
|
119 | [size]: https://bundlephobia.com/result?p=rehype-sanitize
|
120 |
|
121 | [sponsors-badge]: https://opencollective.com/unified/sponsors/badge.svg
|
122 |
|
123 | [backers-badge]: https://opencollective.com/unified/backers/badge.svg
|
124 |
|
125 | [collective]: https://opencollective.com/unified
|
126 |
|
127 | [chat-badge]: https://img.shields.io/badge/join%20the%20community-on%20spectrum-7b16ff.svg
|
128 |
|
129 | [chat]: https://spectrum.chat/unified/rehype
|
130 |
|
131 | [npm]: https://docs.npmjs.com/cli/install
|
132 |
|
133 | [health]: https://github.com/rehypejs/.github
|
134 |
|
135 | [contributing]: https://github.com/rehypejs/.github/blob/master/contributing.md
|
136 |
|
137 | [support]: https://github.com/rehypejs/.github/blob/master/support.md
|
138 |
|
139 | [coc]: https://github.com/rehypejs/.github/blob/master/code-of-conduct.md
|
140 |
|
141 | [license]: license
|
142 |
|
143 | [author]: https://wooorm.com
|
144 |
|
145 | [rehype]: https://github.com/rehypejs/rehype
|
146 |
|
147 | [schema]: https://github.com/syntax-tree/hast-util-sanitize#schema
|