sanitize-html | submitted HTML , preserving whitelisted elements

 by   apostrophecms JavaScript Version: 2.11.0 License: MIT

kandi X-RAY | sanitize-html Summary

kandi X-RAY | sanitize-html Summary

sanitize-html is a JavaScript library. sanitize-html has no bugs, it has a Permissive License and it has medium support. However sanitize-html has 6 vulnerabilities. You can install using 'npm i sanitize-html-2' or download it from GitHub, npm.

sanitize-html provides a simple HTML sanitizer with a clear API. sanitize-html is tolerant. It is well suited for cleaning up HTML fragments such as those created by CKEditor and other rich text editors. It is especially handy for removing unwanted CSS when copying and pasting from Word. sanitize-html allows you to specify the tags you want to permit, and the permitted attributes for each of those tags. If a tag is not permitted, the contents of the tag are not discarded. There are some exceptions to this, discussed below in the "Discarding the entire contents of a disallowed tag" section. The syntax of poorly closed p and img elements is cleaned up. href attributes are validated to ensure they only contain http, https, ftp and mailto URLs. Relative URLs are also allowed. Ditto for src attributes. Allowing particular urls as a src to an iframe tag by filtering hostnames is also supported. HTML comments are not preserved. Additionally, sanitize-html escapes ALL text content - this means that ampersands, greater-than, and less-than signs are converted to their equivalent HTML character references (& --> &, < --> <, and so on). Additionally, in attribute values, quotation marks are escaped as well (" --> ").

            kandi-support Support

              sanitize-html has a medium active ecosystem.
              It has 3332 star(s) with 350 fork(s). There are 40 watchers for this library.
              There were 1 major release(s) in the last 6 months.
              There are 11 open issues and 361 have been closed. On average issues are closed in 227 days. There are no pull requests.
              It has a neutral sentiment in the developer community.
              The latest version of sanitize-html is 2.11.0

            kandi-Quality Quality

              sanitize-html has 0 bugs and 0 code smells.

            kandi-Security Security

              sanitize-html has 6 vulnerability issues reported (0 critical, 1 high, 5 medium, 0 low).
              sanitize-html code analysis shows 0 unresolved vulnerabilities.
              There are 0 security hotspots that need review.

            kandi-License License

              sanitize-html is licensed under the MIT License. This license is Permissive.
              Permissive licenses have the least restrictions, and you can use them in most projects.

            kandi-Reuse Reuse

              sanitize-html releases are not available. You will need to build from source code and install.
              Deployable package is available in npm.
              Installation instructions are not available. Examples and code snippets are available.

            Top functions reviewed by kandi - BETA

            kandi has reviewed sanitize-html and discovered the below as its top functions. This is intended to give you an instant insight into sanitize-html implemented functionality, and help decide if they suit your requirements.
            • Re - sanitized HTML from HTML .
            • Clean a URL .
            • Filter syntax tree
            • Escapes HTML entities in a string .
            • Construct a new Frame
            • filters out the selected declarations
            • Stringify srcset
            • Filter classes based on in the allowed CSS classes
            • Returns style attributes string from AST nodes .
            • Filters an array and returns a new array .
            Get all kandi verified functions for this library.

            sanitize-html Key Features

            No Key Features are available at this moment for sanitize-html.

            sanitize-html Examples and Code Snippets

            Sanitize html
            javascriptdot img1Lines of Code : 34dot img1License : Permissive (MIT License)
            copy iconCopy
            function sanitizeHtml(unsafeHtml, allowList, sanitizeFn) {
                if (!unsafeHtml.length) {
                  return unsafeHtml;
                if (sanitizeFn && typeof sanitizeFn === 'function') {
                  return sanitizeFn(unsafeHtml);
                const domParser  

            Community Discussions


            markdown is not a function
            Asked 2022-Jan-15 at 10:52

            markdown is not a function , though i have installed it using npm install marked In the app.js i have used app.use in which res.local.filterUserHTML is a function, which uses markdown function, But when this is invoked it gives error, stating it doesn't recognize the markdown function.




            Answered 2022-Jan-15 at 10:52


            Javascript chat using : my code doesn't work while teacher's does (seem a lot the same)
            Asked 2021-Sep-14 at 17:50

            I'm following a JS course and I can't understand why my code doesn't work but the teacher's code does work. It seems like it's an "order of lines" thing but I'm not sure and can't figure this out.

            More specifically, the functionality that doesn't work is the chat (the socket part).

            Here's the teacher's code that works :



            Answered 2021-Sep-14 at 17:50

            It looks like you misnamed your listener. (socket.on function)

            chatMessageFromServer should be chatMessageFromBrowser.



            Gatsby- Can't resolve 'path' in 'C:\Users\...\gatsby-starter-hello-world\node_modules\postcss\lib'
            Asked 2021-Apr-24 at 08:03

            I'm trying to use sanitize-html package along with @types/sanitize-html for typescript, but it causes the following error-



            Answered 2021-Apr-24 at 08:03

            The issue is fixed in the v8.2.7, according to this comment on GitHub. It seems to be related to the fact that webpack has removed polyfills in their new v5 version, which is a needed dependency of postcss, which is also used by sanitize-html.

            However, if the issue persists, it should be fixed by installing path-browserify (by npm i path-browserify) and adding the following fallback to webpack's overriding configuration, in your gatsby-node.js, onCreateWebpackConfig API should work:



            nextjs ie11 Expected identifier
            Asked 2021-Apr-06 at 02:28

            I've been developing on Chrome, hoping that Babel simply fits my code into i.e.

            One error occured SCRIPT1010: Expected identifier
            internet explore point the error here (this file is in static/chunk).
            ...,e,r){"use strict";let n,i,o,s=r("dUwI"),{isClean:a}=r("zomH"),u=r("aOxJ"),c=r("wWcZ");class l extends...

            And i tried to add polifills in my app.js



            Answered 2021-Mar-12 at 09:04

            As far as I can see, you bundle has class declarations and IE does not understand them. Polyfills won't help because you cannot polyfill such thing, it should be transpiled to compatible ES5 code. It is probably part of some library you use, so you need to use next-transpile-modules thing for NextJs to transpile node_modules code of this library.

            Example of usage:



            Can't compile sqlite3 as a native addon, Electron React Boilerplate project
            Asked 2021-Mar-10 at 22:12

            I'm building a project based off the Electron React Boilerplate project. I am running MacOS 10.15.7 and node v14.15.1.

            I'm trying to install sqlite3 package. Since it's a native dependency, I ran yarn add sqlite3 inside the src/ directory, like it says to do here. The compilation fails with the following output:



            Answered 2021-Mar-10 at 22:12

            I downgraded the sqlite3 package to v5.0.0 and it rebuilt correctly. Hope this helps anyone else with the same issue.

            Source: nodejs electronjs sqlite3 - use of undeclared identifier 'napi_is_detached_arraybuffer'



            Vue.js website is blank in Internet Explorer 11
            Asked 2021-Feb-24 at 15:07




            Answered 2021-Feb-21 at 20:58

            It could be that some dependency of yours is using ES6 syntax.

            By default babel-loader ignores all files inside node_modules. If you want to explicitly transpile a dependency with Babel, you can list it in this option


            You need to find out which one it is and add it to transpileDependencies - vue.config.js

            Also the error message is very strange - function(e){let{existsSync:r,readFileSync:i} - both existsSync and readFileSync look like Node API. So check you don't use any Node package for browser app (for example node-fetch is definitely Node only lib and will not work inside the browser)



            Cannot upload app to appstoreconnect cause "UIWebView" is still being used - ITMS-90809
            Asked 2021-Jan-11 at 14:27

            So i am using React Native to develop the app and trying to upload the app to TestFlight via AppStoreConnect. Everytime i upload i get an email from apple:

            ITMS-90809: Deprecated API Usage - New apps that use UIWebView are no longer accepted. Instead, use WKWebView for improved security and reliability

            Yes, i've taken a loook at similar posts that are here on Stackoverflow. Here are the things i've tried.

            1. I've ran grep -r UIWebView on both node_modules and Pods folders and only matches i get are comment tags.

            For node_modules:



            Answered 2021-Jan-11 at 14:27

            So turns out that one of the Frameworks i added in theFramework, Libraries, and Embedded Content of XCode was using UIWebView - in this particular case i was the GD Framework. So i just had to download the updated SDK and that solved the problem for me. See Image here



            Sanitizers VS dangerouslySetInnerHtml
            Asked 2020-Dec-09 at 13:13

            According to some React documentation:

            Improper use of the innerHTML can open you up to a cross-site scripting (XSS) attack. Sanitizing user input for display is notoriously error-prone, and failure to properly sanitize is one of the leading causes of web vulnerabilities on the internet.

            It seems that improper usage of the sanitizers and the innerHTML can expose the site XSS (Cross-Site Scripting) attacks.

            On the other hand, according to other documentation (such as Gatsby or sanitizers itself), they are recommended:

            The most straightforward way to prevent a XSS attack is to sanitize the innerHTML string before dangerously setting it. Fortunately, there are npm packages that can accomplish this; packages like sanitize-html and DOMPurify.

            What's the best and safest approach to avoid exposing an application to XSS attacks in React while also avoiding improper usage of sanitizers?



            Answered 2020-Oct-08 at 10:59

            The two options are not in contrast with each other:

            Improper use of the innerHTML can open you up to a cross-site scripting (XSS) attack

            Emphasis on 'improper'.

            sanitize the innerHTML string before dangerously setting it

            Using an established and well known library to sanitize the input before setting it is safe, because it is not an improper use of innerHTML.



            Reactjs npm test: Jest encountered an unexpected token
            Asked 2020-Nov-16 at 07:45

            I'm getting an error when running npm test. I feel like I have tried every existing suggestion online, but I can not get it to work.

            Here is my package.json. I thought the "transformIgnorePatterns": [ "/node_modules/(?!@total/*)", ], would solve the issue, but it didn't.



            Answered 2020-Nov-13 at 16:08

            Looks like your situation is to be nested twice node_modules (node_modules/@opt-ui/icons/node_modules/@equinor/eds-icons), so you might have to set both @opt-ui and @equinor to re-transpile.

            However, I have an idea which I'm not 100% the following way would work but it's worth trying though:



            Why is my Shopify App built with Next.js (React) so slow to load?
            Asked 2020-Aug-27 at 08:38

            I followed this tutorial:

            From the beginning, my app was extremely slow to load, including when changing tabs, including when loaded through ngrok and run on localhost or deployed on app engine.

            What could be causing this ?

            P.S.: I am new to React, Next.js and Shopify App development, so the answer could be quite basic.

            P.P.S.: The build output seems to indicate "First Load JS shared by all" is too large based on the red color. I do not know how to investigate this and reduce the size of said chunks although a mere 214KB could not explain such slow load times, could it ?


            React Dev Tools Profiler

            @next/bundle-analyzer Output:






            Answered 2020-Aug-15 at 16:48

            Your initial load on index, according your dev tools waterfall, took almost 2 seconds for only 18.5KB of data. This is alarmingly slow and prior to the rest of your resources being reached even. My first thought would be network/server lag. Are you hosting this locally or on a web server of some sort?

            I would strip it down as much as you can, maybe even just try and load a simple index.html file with only a header. If that takes a couple of seconds to load then you may need to either upgrade or migrate to a better host. If you are hosting locally this could just be an issue of your internet having a low upload speed. Many internet plans have fast downloads but slow uploads and you are not always going to get what your ISP promises.


            Community Discussions, Code Snippets contain sources that include Stack Exchange Network


            Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option.
            Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/\\".
            sanitize-html is a library for scrubbing html input for malicious values Versions 1.2.2 and below have a cross site scripting vulnerability.
            Sanitize-html is a library for scrubbing html input of malicious values. Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one nonTextTags, the result is a potential XSS vulnerability.

            Install sanitize-html

            You can install using 'npm i sanitize-html-2' or download it from GitHub, npm.


            Feel free to open issues on github.
            Find more information at:

            Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items

            Find more libraries
          • npm

            npm i sanitize-html

          • CLONE
          • HTTPS


          • CLI

            gh repo clone apostrophecms/sanitize-html

          • sshUrl


          • Stay Updated

            Subscribe to our newsletter for trending solutions and developer bootcamps

            Agree to Sign up and Terms & Conditions

            Share this Page

            share link

            Consider Popular JavaScript Libraries


            by freeCodeCamp


            by vuejs


            by facebook


            by twbs

            Try Top Libraries by apostrophecms


            by apostrophecmsJavaScript


            by apostrophecmsShell


            by apostrophecmsJavaScript


            by apostrophecmsJavaScript


            by apostrophecmsCSS