micromark-util-sanitize-uri

micromark utility to sanitize urls.

What is this?
When should I use this?
Install
Use
API
- normalizeUri(value)
- sanitizeUri(url[, pattern])
Types
Compatibility
Security
Contribute
License

What is this?

This package exposes an algorithm to make URLs safe.

When should I use this?

This package might be useful when you are making your own micromark extensions.

Install

This package is ESM only. In Node.js (version 16+), install with npm:

npm install micromark-util-sanitize-uri

In Deno with esm.sh:

import {sanitizeUri} from 'https://esm.sh/micromark-util-sanitize-uri@1'

In browsers with esm.sh:

<script type="module">
  import {sanitizeUri} from 'https://esm.sh/micromark-util-sanitize-uri@1?bundle'
</script>

Use

import {sanitizeUri} from 'micromark-util-sanitize-uri'

sanitizeUri('https://example.com/a&amp;b') // 'https://example.com/a&amp;amp;b'
sanitizeUri('https://example.com/a%b') // 'https://example.com/a%25b'
sanitizeUri('https://example.com/a%20b') // 'https://example.com/a%20b'
sanitizeUri('https://example.com/👍') // 'https://example.com/%F0%9F%91%8D'
sanitizeUri('https://example.com/', /^https?$/i) // 'https://example.com/'
sanitizeUri('javascript:alert(1)', /^https?$/i) // ''
sanitizeUri('./example.jpg', /^https?$/i) // './example.jpg'
sanitizeUri('#a', /^https?$/i) // '#a'

API

This module exports the identifiers normalizeUri and sanitizeUri. There is no default export.

`normalizeUri(value)`

Normalize a URL.

Encode unsafe characters with percent-encoding, skipping already encoded sequences.

Parameters

value (string) — URI to normalize

Returns

Normalized URI (string).

`sanitizeUri(url[, pattern])`

Make a value safe for injection as a URL.

This encodes unsafe characters with percent-encoding and skips already encoded sequences (see normalizeUri). Further unsafe characters are encoded as character references (see micromark-util-encode).

A regex of allowed protocols can be given, in which case the URL is sanitized. For example, /^(https?|ircs?|mailto|xmpp)$/i can be used for a[href], or /^https?$/i for img[src] (this is what github.com allows). If the URL includes an unknown protocol (one not matched by protocol, such as a dangerous example, javascript:), the value is ignored.

Parameters

url (string) — URI to sanitize
pattern (RegExp, optional) — allowed protocols

Returns

Sanitized URI (string).

Types

This package is fully typed with TypeScript. It exports no additional types.

Compatibility

Projects maintained by the unified collective are compatible with maintained versions of Node.js.

When we cut a new major release, we drop support for unmaintained versions of Node. This means we try to keep the current release line, micromark-util-sanitize-uri@2, compatible with Node.js 16. This package works with micromark@3.

Security

This package is safe. See security.md in micromark/.github for how to submit a security report.

Contribute

See contributing.md in micromark/.github for ways to get started. See support.md for ways to get help.

This project has a code of conduct. By interacting with this repository, organisation, or community you agree to abide by its terms.