• Stars
    star
    449
  • Rank 97,328 (Top 2 %)
  • Language
    JavaScript
  • License
    MIT License
  • Created almost 10 years ago
  • Updated 7 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

๐Ÿ˜พ Lean and configurable whitelist-oriented HTML sanitizer

insane

Lean and configurable whitelist-oriented HTML sanitizer

Works well in browsers, as its footprint size is very small (around ~2kb gzipped). API inspired by sanitize-html (which is around 100kb gzipped).

You would be insane not to use this!

Install

npm install insane --save

Usage

insane('<div>foo<span>bar</span></div>', { allowedTags: ['div'] })
// <- '<div>foo</div>'

Contrary to similar sanitizers, insane drops the whole tree of descendants for elements that aren't allowed tags.

API

insane(html, options?, strict?)

  • html can be an arbitrary HTML string
  • options are detailed below
  • strict means that options won't be based off of insane.defaults if set to true

The parser takes into account that some elements can be self-closing. For safety reasons the sanitizer will only accept a valid URL for background, base, cite, href, longdesc, src, and usemap elements. "Valid URL" means that it begins with either #, /, or any of options.allowedSchemes (followed by :).

options

Sensible defaults are provided. You can override specific options as needed.

allowedSchemes

Defaults to ['http', 'https', 'mailto'].

allowedTags

An array of tags that you'll allow in the resulting HTML.

Example

Only allow spans, discarding the rest of elements.

insane('<div>foo</div><span>bar</span>', {
  allowedTags: ['span']
});
// <- '<span>bar</span>'

allowedAttributes

An object describing the attributes you'll allow for each individual tag name.

Example

Only allow spans, and only allow those spans to have an id (discarding the rest of their attributes).

insane('<span id="bar" class="super">bar</span>', {
  allowedTags: ['span'],
  allowedAttributes: { span: ['id'] }
});
// <- '<span id="bar">bar</span>'

allowedClasses

If 'class' is listed as an allowed attribute, every single class will be allowed. If you don't list 'class' as an allowed attribute, you can provide a class whitelist per tag name.

Example

Only allow spans to have super or bad class names, discarding the rest of them.

insane('<span class="super mean and bad">bar</span>', {
  allowedTags: ['span'],
  allowedClasses: { span: ['super', 'bad'] }
});
// <- '<span class="super bad">bar</span>'

filter

Takes a function(token) that allows you to do additional validation beyond exact tag name and attribute matching. The token object passed to your filter contains the following properties.

  • tag is the lowercase tag name of the element
  • attrs is an object containing every attribute in the element, including those that may not be in the whitelist

If you return a falsy value the element and all of its descendants will not be included in the output. Note that you are allowed to change the attrs, and even add new ones, transforming the output.

Example

Require that <span> elements have an aria-label value.

function filter (token) {
  return token.tag !== 'span' || token.attrs['aria-label'];
}
insane('<span aria-label="a foo">foo</span><span>bar</span>', {
  allowedTags: ['span'],
  allowedAttributes: { span: ['aria-label'] },
  filter: filter
});
// <- '<span aria-label="a foo">foo</span>'

transformText

Takes a function(text) that allows you to modify text content in HTML elements. Runs for every piece of text content. The returned value is used instead of the original text contents.

Defaults

The default configuration is used if you don't provide any. This object is available at insane.defaults. You are free to manipulate the defaults themselves.

{
  "allowedAttributes": {
    "a": ["href", "name", "target"],
    "iframe": ["allowfullscreen", "frameborder", "src"],
    "img": ["src"]
  },
  "allowedClasses": {},
  "allowedSchemes": ["http", "https", "mailto"],
  "allowedTags": [
    "a", "article", "b", "blockquote", "br", "caption", "code", "del", "details", "div", "em",
    "h1", "h2", "h3", "h4", "h5", "h6", "hr", "i", "img", "ins", "kbd", "li", "main", "ol",
    "p", "pre", "section", "span", "strike", "strong", "sub", "summary", "sup", "table",
    "tbody", "td", "th", "thead", "tr", "u", "ul"
  ],
  "filter": null,
  "transformText": null
}

License

MIT

More Repositories

1

dragula

๐Ÿ‘Œ Drag and drop so simple it hurts
JavaScript
21,936
star
2

es6

๐ŸŒŸ ES6 Overview in 350 Bullet Points
4,328
star
3

rome

๐Ÿ“† Customizable date (and time) picker. Opt-in UI, no jQuery!
JavaScript
2,913
star
4

js

๐ŸŽจ A JavaScript Quality Guide
2,874
star
5

fuzzysearch

๐Ÿ”ฎ Tiny and blazing-fast fuzzy search in JavaScript
JavaScript
2,711
star
6

woofmark

๐Ÿ• Barking up the DOM tree. A modular, progressive, and beautiful Markdown and HTML editor
JavaScript
1,624
star
7

promisees

๐Ÿ“จ Promise visualization playground for the adventurous
JavaScript
1,199
star
8

horsey

๐Ÿด Progressive and customizable autocomplete component
JavaScript
1,167
star
9

css

๐ŸŽจ CSS: The Good Parts
992
star
10

react-dragula

๐Ÿ‘Œ Drag and drop so simple it hurts
JavaScript
992
star
11

contra

๐Ÿ„ Asynchronous flow control with a functional taste to it
JavaScript
771
star
12

shots

๐Ÿ”ซ pull down the entire Internet into a single animated gif.
JavaScript
728
star
13

insignia

๐Ÿ”– Customizable tag input. Progressive. No non-sense!
JavaScript
674
star
14

campaign

๐Ÿ’Œ Compose responsive email templates easily, fill them with models, and send them out.
JavaScript
641
star
15

perfschool

๐ŸŒŠ Navigate the #perfmatters salt marsh waters in this NodeSchool workshopper
CSS
630
star
16

local-storage

๐Ÿ›… A simplified localStorage API that just works
JavaScript
523
star
17

angularjs-dragula

๐Ÿ‘Œ Drag and drop so simple it hurts
HTML
509
star
18

reads

๐Ÿ“š A list of physical books I own and read
486
star
19

hget

๐Ÿ‘ Render websites in plain text from your terminal
HTML
334
star
20

hit-that

โœŠ Render beautiful pixel perfect representations of websites in your terminal
JavaScript
332
star
21

hash-sum

๐ŸŽŠ Blazing fast unique hash generator
JavaScript
301
star
22

swivel

Message passing between ServiceWorker and pages made simple
JavaScript
294
star
23

dominus

๐Ÿ’‰ Lean DOM Manipulation
JavaScript
277
star
24

trunc-html

๐Ÿ“ truncate html by text length
JavaScript
220
star
25

grunt-ec2

๐Ÿ“ฆ Create, deploy to, and shutdown Amazon EC2 instances
JavaScript
190
star
26

beautify-text

โœ’๏ธ Automated typographic quotation and punctuation marks
JavaScript
186
star
27

sixflix

๐ŸŽฌ Detects whether a host environment supports ES6. Algorithm by Netflix.
JavaScript
175
star
28

twitter-for-github

๐Ÿฅ Twitter handles for GitHub
JavaScript
146
star
29

awesome-badges

๐Ÿ† Awesome, badges!
JavaScript
124
star
30

prop-tc39

Scraping microservice for TC39 proposals ๐Ÿ˜ธ
JavaScript
108
star
31

megamark

๐Ÿ˜ป Markdown with easy tokenization, a fast highlighter, and a lean HTML sanitizer
JavaScript
104
star
32

diferente

User-friendly virtual DOM diffing
JavaScript
95
star
33

domador

๐Ÿ˜ผ Dependency-free and lean DOM parser that outputs Markdown
JavaScript
86
star
34

proposal-undefined-coalescing-operator

Undefined Coalescing Operator proposal for ECMAScript
77
star
35

dotfiles

๐Ÿ’  Yay! @bevacqua does dotfiles \o/
Shell
75
star
36

assignment

๐Ÿ˜ฟ Assign property objects onto other objects, recursively
JavaScript
73
star
37

sektor

๐Ÿ“ A slim alternative to jQuery's Sizzle
JavaScript
65
star
38

map-tag

๐Ÿท Map template literal expression interpolations with ease.
JavaScript
65
star
39

unbox

Unbox a node application with a well-designed build-oriented approach in minutes
JavaScript
61
star
40

hint

Awesome tooltips at your fingertips
JavaScript
60
star
41

but

๐Ÿ›ฐ But expands your functional horizons to the edge of the universe
JavaScript
59
star
42

kanye

Smash your keyboards with ease
JavaScript
55
star
43

correcthorse

See XKCD for reference
JavaScript
52
star
44

easymap

๐Ÿ—บ simplified use of Google Maps API to render a bunch of markers.
JavaScript
52
star
45

flickr-cats

A demo page using the Flickr API, ServiceWorker, and plain JavaScript
HTML
49
star
46

hubby

๐Ÿ‘จ Hubby is a lowly attempt to describe public GitHub activity in natural language
JavaScript
46
star
47

ruta3

Route matcher devised for shared rendering JavaScript applications
JavaScript
45
star
48

poser

๐Ÿ“ฏ Create clean arrays, or anything else, which you can safely extend
JavaScript
45
star
49

baal

๐Ÿณ Automated, autoscaled, zero-downtime, immutable deployments using plain old bash, Packer, nginx, Node.js, and AWS. Made easy.
Shell
44
star
50

lipstick

๐Ÿ’„ sticky sessions for Node.js clustering done responsibly
JavaScript
43
star
51

crossvent

๐ŸŒ Cross-platform browser event handling
JavaScript
41
star
52

lazyjs

The minimalist JavaScript loader
JavaScript
39
star
53

spritesmith-cli

๐Ÿ˜ณ Adds a CLI to the spritesmith module
JavaScript
38
star
54

gulp-jsfuck

Fuck JavaScript and obfuscate it using only 6 characters ()+[]!
JavaScript
37
star
55

measly

A measly wrapper around XHR to help you contain your requests
JavaScript
36
star
56

keynote-extractor

๐ŸŽ Extract Keynote presentations to JSON and Markdown using a simple script.
AppleScript
35
star
57

hyperterm-working-directory

๐Ÿ–ฅ๐Ÿ‘ท๐Ÿ“‚ Adds a default working directory setting. Opens new tabs using that working directory.
JavaScript
34
star
58

gitcanvas

๐Ÿ› Use your GitHub account's commit history as a canvas. Express the artist in you!
JavaScript
34
star
59

cave

Remove critical CSS from your stylesheet after inlining it in your pages
JavaScript
33
star
60

scrape-metadata

๐Ÿ“œ HTML metadata scraper
JavaScript
31
star
61

feeds

๐ŸŽ RSS feeds I follow and maintain
31
star
62

suchjs

Provides essential jQuery-like methods for your evergreen browser, in under 200 lines of code. Such small.
JavaScript
30
star
63

ponyedit

An interface between contentEditable and your UI
JavaScript
29
star
64

grunt-grunt

Spawn Grunt tasks in other Gruntfiles easily from a Grunt task
JavaScript
29
star
65

ultramarked

Marked with built-in syntax highlighting and input sanitizing that doesn't encode all HTML.
JavaScript
28
star
66

sell

๐Ÿ’ฐ Cross-browser text input selection made simple
JavaScript
28
star
67

icons

Free icon sets gathered around the open web
27
star
68

insert-rule

Insert rules into a stylesheet programatically with a simple API
JavaScript
26
star
69

hose

Redirect any domain to localhost for convenience or productivity!
JavaScript
26
star
70

ponymark

Next-generation PageDown fork
JavaScript
25
star
71

omnibox

Fast url parsing with a tiny footprint and extensive browser support
JavaScript
25
star
72

estimate

Calculate remaining reading time estimates in real-time
JavaScript
24
star
73

node-emoji-random

Creates a random emoji string. This is as useless as it gets.
JavaScript
24
star
74

sluggish

๐Ÿ Sluggish slug generator that works universally
JavaScript
24
star
75

seleccion

๐Ÿ’ต A getSelection polyfill and a setSelection ranch dressing
JavaScript
24
star
76

bullseye

๐ŸŽฏ Attach elements onto their target
JavaScript
23
star
77

vectorcam

๐ŸŽฅ Record gifs out of <svg> elements painlessly
JavaScript
22
star
78

paqui

Dead simple, packager-agnostic package management solution for front-end component developers
JavaScript
22
star
79

grunt-ngdoc

Grunt task for generating documentation using AngularJS' @ngdoc comments
JavaScript
20
star
80

ftco

โšก Browser extension that unshortens t.co links in TweetDeck and Twitter
JavaScript
19
star
81

jadum

๐Ÿ’ A lean Jade compiler that understands Browserify and reuses partials
JavaScript
19
star
82

trunc-text

๐Ÿ“ truncate text by length, doesn't cut words
JavaScript
16
star
83

flexarea

Pretty flexible areas!
JavaScript
16
star
84

music-manager

๐Ÿ“ป Manages a list of favorite artists and opens playlists on youtube.
JavaScript
16
star
85

grunt-integration

Run Integration Tests using Selenium, Mocha, a Server, and a Browser
JavaScript
15
star
86

apartment

๐Ÿก Remove undesirable properties from a piece of css
JavaScript
14
star
87

mongotape

Run integration tests using mongoose and tape
JavaScript
14
star
88

rehearsal

Persist standard input to a file, then simulate real-time program execution.
JavaScript
13
star
89

queso

Turn a plain object into a query string
JavaScript
13
star
90

bitfin

๐Ÿฆ Finance utility for Bitstamp
JavaScript
13
star
91

pandora-box

๐Ÿผ What will it be?
JavaScript
12
star
92

grunt-spriting-example

An example on how to seamlessly use spritesheets with Grunt.
12
star
93

artists

๐ŸŽค Big list of artists pulled from Wikipedia.
JavaScript
11
star
94

twitter-leads

๐Ÿฆ Pull list of leads from a Twitter Ads Lead Generation Card
JavaScript
11
star
95

reaver

Minimal asset hashing CLI and API
JavaScript
11
star
96

atoa

Creates a true array based on `arraylike`, starting at `startIndex`.
JavaScript
10
star
97

BridgeStack

.NET StackExchange API v2.0 client library wrapper
C#
10
star
98

ama

๐Ÿ“– A repository to ask @bevacqua anything.
10
star
99

virtual-host

Create virtual, self-contained `connect` or `express` applications using a very simple API.
JavaScript
10
star
100

banksy

๐ŸŒ‡ Street art between woofmark and horsey
JavaScript
10
star