aurelia-dompurify
This Aurelia plugin replaces the built in HTMLSanitizer implementation with a DOMPurify based implementation.
Aurelia's default sanitizer should not be used, as it is not meant for production use, as the official documentation states.
Additionally, the plugin supplies a configurable value converter named dompurify for use cases where a default configuration isn't sufficient.
Installing
npm i @appex/aurelia-dompurify
# or
yarn add @appex/aurelia-dompurifyUsing
Using DOMPurify's default values:
aurelia.use
.standardConfiguration()
.plugin(PLATFORM.moduleName('@appex/aurelia-dompurify'))You can also override the default config. Refer to the DOMPurify docs for more information.
aurelia.use
.standardConfiguration()
.plugin(PLATFORM.moduleName('@appex/aurelia-dompurify'), {ALLOWED_TAGS: ['b']})The dompurify value converter is used like this:
<p innerHTML.bind="untrustedContent | dompurify"></p>
<!-- Identical to using Aurelia's sanitizeHTML value converter -->
<p innerHTML.bind="untrustedContent | sanitizeHTML"></p>
<!-- With custom configuration -->
<p innerHTML.bind="untrustedContent | dompurify: {ALLOWED_TAGS: ['i']}"></p>