Skip to content

eperegrine/script_sanitizer.js

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

58 Commits

.github/workflows

.github/workflows

 
 

dist

dist

 
 

docs/script_sanitize

docs/script_sanitize

 
 

test

test

 
 

.DS_Store

.DS_Store

 
 

.doclets.yml

.doclets.yml

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

.travis.yml

.travis.yml

 
 

License

License

 
 

README.md

README.md

 
 

bower.json

bower.json

 
 

gulpfile.js

gulpfile.js

 
 

index.js

index.js

 
 

jsdoc.conf.json

jsdoc.conf.json

 
 

package.json

package.json

 
 

script_sanitize.js

script_sanitize.js

 
 

Repository files navigation

script_sanitizer.js

A simple npm library to remove script tags but keep other html

npm Build Status npm npm

Installation

Documention

https://doclets.io/eperegrine/script_sanitizer.js/master

Usage

If on Node.js

const script_sanitize = require('../script_sanitize');
var sanitize = script_sanitize.sanitize;

If on a website

<script href="https://cdn.rawgit.com/eperegrine/script_sanitizer.js/master/dist/script_sanitize.min.js"></script>
<script type="text/javascript">
  var sanitize = script_sanitize.sanitize;
</script>

The method is defined as

sanitize(html, options (optional))

and can be used like so

var sanitized = sanitize("<h1>Hello</h1><script>alert('hi')</script>");
//=> <h1>Hello</h1>
var sanitizedWithReplacment = sanitize("<h1>Hello</h1><script>alert('hi')</script>", { replacementText: "no" });
//=> <h1>Hello</h1>no

Attributes

The default attributes are stored in an array which can be refrenced like:

var attrArray = script_sanitize.defaultAttributes;

and if you wanted to make an attribute exempt you could apply it like so

thanks stack overflow

var newAttrArray = script_sanitize.defaultAttributes;
var exemptIndex = newAttrArray.indexOf("onclick");
newAttrArray.splice(exmptIndex, 1);
sanitize("[HTML STUFF]", { attributes: newAttrArray });

The options parameter

Option Description Default Value
replacementText The text to replace the script tag with ""
loop Whether to replace via looping or a single statement true
replaceEndTagsAfter In certain cases the ending script tag is still there, this options ensures it won't be true
tags The tags that should be replaced ["script"]
attributes The attributes that should be replaced defaultAttributes

Utils

Util Description
isDefined Checks if a variable is defined
defaultFor Sets a default value if a variable is defined
generateRegexForTag Generates a regex object for a tag
generateRegexForEndTag Generates a regex object to check an end tag
generateRegexForAttribute Generates a regex object to check an attribute

License

MIT

Disclaimer

The code uses regex, which has been sourced from here The regex is: /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script\s*>/gi

Although this library will likely be used for security purposes I, the developer, am not responsible if this pacakge doesn't meet your security requirements so use with caution

About

A simple npm library to remove script tags but keep other html

www.npmjs.com/package/script_sanitize

Topics

javascript npm security regex npm-package xss security-tools xss-prevention script-sanitizer

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases 1

v1.0 Latest
Jul 23, 2016

Packages

No packages published

Languages