npm
Sign UpSign In

ting
TypeScript icon, indicating that this package has built-in type declarations

2.5.1 • Public • Published

ting

MEAN Module Build Status npm version Node.js Version

Opinionated HTML Sanitizer for Node.js. Built upon sanitize-html.

  • Keep up with the latest standards (new tags are allowed, e.g. <aside>, <progress>, <time>...).
  • <iframe> is not allowed.
  • style attribute is not allowed.
  • id attribute is not allowed unless idFilter returns true (see Options).
  • Inline SVG is not allowed (use <img> with an external SVG source).
  • Customizable via sanitize-html options.
  • TypeScript friendly.

Installation

yarn add ting

Usage

const ting = require('ting');
 
ting.sanitize(
  html,             // the HTML string which need to be sanitized
  options,          // [Optional] ting options
  overrideOptions,  // [Optional] a function to override the internal sanitize-html options
);

Example:

const ting = require('ting');
 
const dirty = `
<script>alert(1)</script>
<img src="x.jpg" onclick="alert(1)"/>
<img src="cool.jpg"/>
<figcaption>caption</figcaption>
`;
 
const safe = ting.sanitize(dirty);
console.log(safe);
/** Prints
  <img src="x.jpg" />
  <img src="cool.jpg" />
  <figcaption>caption</figcaption>
 */

Options

{
  // `id` attribute is not allowed unless `idFilter` returns true
  idFilter: (id: string) => boolean;
}
  • Example: allow all ids starting with "user-content-":
ting.sanitize(`
<a id="id-attack">bad</a>
<a id="user-content-link">fine</a>
<a>no id</a>`, {
    idFilter: (id) => {
      return id.startsWith('user-content-');
    },
  });
/** Prints
  <a id="user-content-link">fine</a>
  <a>no id</a>
 */

Overriding sanitize-html Options

ting is built upon sanitize-html, you can override the internal sanitize-html options, or pass a new one (which would make ting no different than sanitize-html). e.g. to allow <iframe> tags, override the allowedTags and allowedAttributes of sanitize-html options.

ting.sanitize('<iframe src="https://coldfunction.com"></iframe>', 
  undefined,    // no options for ting
  (opts) => {   // override sanitize-html options
    opts.allowedTags.push('iframe');
    opts.allowedAttributes.iframe = ['src'];
    return opts;
  });
// Prints: <iframe src="https://coldfunction.com"></iframe>

Readme

Keywords

Package Sidebar

Install

npm i ting

Repository

github.com/mgenware/ting

Homepage

github.com/mgenware/ting

Weekly Downloads

2

Version

2.5.1

License

MIT

Unpacked Size

11.1 kB

Total Files

11

Last publish

Collaborators

  • mgenware
Try on RunKit
Report malware