{"id":21754646,"url":"https://github.com/aegisjsproject/sanitizer","last_synced_at":"2025-04-13T09:08:48.024Z","repository":{"id":229951288,"uuid":"768804966","full_name":"AegisJSProject/sanitizer","owner":"AegisJSProject","description":"Sanitizer API polyfill \u0026 config","archived":false,"fork":false,"pushed_at":"2025-04-10T17:03:57.000Z","size":809,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-04-13T09:08:38.581Z","etag":null,"topics":["aegis","sanitizer","sanitizer-api","security"],"latest_commit_sha":null,"homepage":"https://www.npmjs.com/package/@aegisjsproject/sanitizer","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AegisJSProject.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":".github/CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"shgysk8zer0","liberapay":"shgysk8zer0"}},"created_at":"2024-03-07T19:06:37.000Z","updated_at":"2025-04-10T17:03:59.000Z","dependencies_parsed_at":"2024-04-04T04:22:17.111Z","dependency_job_id":"99e2cfce-d938-46cd-a425-52212ccc36b2","html_url":"https://github.com/AegisJSProject/sanitizer","commit_stats":null,"previous_names":["aegisjsproject/sanitizer"],"tags_count":11,"template":false,"template_full_name":"shgysk8zer0/npm-template","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AegisJSProject%2Fsanitizer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AegisJSProject%2Fsanitizer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AegisJSProject%2Fsanitizer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AegisJSProject%2Fsanitizer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AegisJSProject","download_url":"https://codeload.github.com/AegisJSProject/sanitizer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248688565,"owners_count":21145766,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aegis","sanitizer","sanitizer-api","security"],"created_at":"2024-11-26T09:14:35.133Z","updated_at":"2025-04-13T09:08:48.003Z","avatar_url":"https://github.com/AegisJSProject.png","language":"JavaScript","funding_links":["https://github.com/sponsors/shgysk8zer0","https://liberapay.com/shgysk8zer0","https://liberapay.com/shgysk8zer0/donate"],"categories":[],"sub_categories":[],"readme":"# `@aegisjsproject/sanitizer`\n\n[Sanitizer API](https://github.com/WICG/sanitizer-api/) polyfill \u0026 config\n\n[![CodeQL](https://github.com/AegisJSProject/sanitizer/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/AegisJSProject/sanitizer/actions/workflows/codeql-analysis.yml)\n![Node CI](https://github.com/AegisJSProject/sanitizer/workflows/Node%20CI/badge.svg)\n![Lint Code Base](https://github.com/AegisJSProject/sanitizer/workflows/Lint%20Code%20Base/badge.svg)\n\n[![GitHub license](https://img.shields.io/github/license/AegisJSProject/sanitizer.svg)](https://github.com/AegisJSProject/sanitizer/blob/master/LICENSE)\n[![GitHub last commit](https://img.shields.io/github/last-commit/AegisJSProject/sanitizer.svg)](https://github.com/AegisJSProject/sanitizer/commits/master)\n[![GitHub release](https://img.shields.io/github/release/AegisJSProject/sanitizer?logo=github)](https://github.com/AegisJSProject/sanitizer/releases)\n[![GitHub Sponsors](https://img.shields.io/github/sponsors/shgysk8zer0?logo=github)](https://github.com/sponsors/shgysk8zer0)\n\n[![npm](https://img.shields.io/npm/v/@aegisjsproject/sanitizer)](https://www.npmjs.com/package/@aegisjsproject/sanitizer)\n![node-current](https://img.shields.io/node/v/@aegisjsproject/sanitizer)\n![npm bundle size gzipped](https://img.shields.io/bundlephobia/minzip/@aegisjsproject/sanitizer)\n[![npm](https://img.shields.io/npm/dw/@aegisjsproject/sanitizer?logo=npm)](https://www.npmjs.com/package/@aegisjsproject/sanitizer)\n\n[![GitHub followers](https://img.shields.io/github/followers/shgysk8zer0.svg?style=social)](https://github.com/shgysk8zer0)\n![GitHub forks](https://img.shields.io/github/forks/AegisJSProject/sanitizer.svg?style=social)\n![GitHub stars](https://img.shields.io/github/stars/AegisJSProject/sanitizer.svg?style=social)\n[![Twitter Follow](https://img.shields.io/twitter/follow/shgysk8zer0.svg?style=social)](https://twitter.com/shgysk8zer0)\n\n[![Donate using Liberapay](https://img.shields.io/liberapay/receives/shgysk8zer0.svg?logo=liberapay)](https://liberapay.com/shgysk8zer0/donate \"Donate using Liberapay\")\n- - -\n\n- [Code of Conduct](./.github/CODE_OF_CONDUCT.md)\n- [Contributing](./.github/CONTRIBUTING.md)\n\u003c!-- - [Security Policy](./.github/SECURITY.md) --\u003e\n\n## AegisJSProject Sanitizer\n\nThis is a library \u0026 polyfill for the [Sanitizer API](https://github.com/WICG/sanitizer-api/).\n\nIt provides a minimal polyfill for `Element.prototype.setHTML()` \u0026 `Document.parseHTML()`,\nas well as config files for HTML, SVG, \u0026 MathML. Please note, however, that the\ndefault sanitizer config in these sanitizer methods *only* support HTML by default.\n\nThe \"base\" config (not what is used by default) *DOES* add support for `\u003csvg\u003e`,\nand the \"complete\" config supports `\u003csvg\u003e` \u0026 `\u003cmath\u003e`.\n\nThis helps prevent XSS via:\n- Stripping event attributes such as `onclick`\n- Removing unsafe URL attributes such a `\u003ca href=\"javascript:...\"\u003e`\n- Prevents adding `\u003cscript\u003e`s and `\u003cstyle\u003e`s\n- Removes other potentially dangerous elements \u0026 attributes\n\n### Example\n\n```js\nimport '@aegijsproject/sanitizer/polyfill.js';\nimport { sanitizer } from '@aegisjsproject/sanitizer/config/base.js';\n\ndocument.body.setHTML(`\n \u003cheader id=\"header\"\u003e\n \u003ch1 onclick=\"alert(location.href)\" data-foo=\"bar\"\u003eHello, World!\u003c/h1\u003e\n \u003c/header\u003e\n \u003cnav id=\"nav\" class=\"flex row\"\u003e\n \u003cbutton type=\"button\" popovertarget=\"bacon\" popovertargetaction=\"show\" accesskey=\"b\"\u003eShow Bacon Ipsum\u003c/button\u003e\n \u003ca href=\"#foo\"\u003eNormal Link\u003c/a\u003e\n \u003ca href=\"javascript:alert('javascript:')\"\u003e\u003ccode\u003ejavascript:\u003c/code\u003e Link\u003c/a\u003e\n \u003ca href=\"data:text/plain,Not%20Allowed\" target=\"_blank\"\u003e\u003ccode\u003edata:\u003c/code\u003e Link\u003c/a\u003e\n \u003ca href=\"${URL.createObjectURL(file)}\" target=\"_blank\"\u003e\u003ccode\u003eblob:\u003c/code\u003e Link\u003c/a\u003e\n \u003c/nav\u003e\n \u003cmain id=\"main\"\u003e\u003c/main\u003e\n \u003cdiv popover=\"auto\" id=\"bacon\"\u003e\n \u003cdiv\u003e\n \u003cb\u003eBacon Ipsum\u003c/b\u003e\n \u003cbutton type=\"button\" popovertarget=\"bacon\" popovertargetaction=\"hide\"\u003e\n \u003csvg xmlns=\"http://www.w3.org/2000/svg\" width=\"12\" height=\"16\" viewBox=\"0 0 12 16\" fill=\"currentColor\" role=\"presentation\" aria-label=\"Close Popover\"\u003e\n \u003cpath fill-rule=\"evenodd\" d=\"M7.48 8l3.75 3.75-1.48 1.48L6 9.48l-3.75 3.75-1.48-1.48L4.52 8 .77 4.25l1.48-1.48L6 6.52l3.75-3.75 1.48 1.48L7.48 8z\"/\u003e\n \u003c/svg\u003e\n \u003c/button\u003e\n \u003c/div\u003e\n \u003cp\u003eBacon ipsum dolor amet pork belly frankfurter drumstick jowl brisket capicola\n short ribs.Cow chislic ham hock t-bone shoulder salami rump corned beef spare\n ribs prosciutto bresaola picanha drumstick. Swine tail pork belly ribeye beef\n kielbasa. Beef cupim ball tip pastrami spare ribs strip steak tongue salam\n venison. Venison cupim meatball strip steak meatloaf prosciutto buffalo\n frankfurter hamburger flank boudin.\u003c/p\u003e\n \u003c/div\u003e\n`, sanitizer);\n```\n\n### Restricting Allowed Content (eg for comments)\n\n```js\nconst sanitizer = {\n elements: ['span', 'div', 'p', 'code', 'pre', 'blockquote', 'img', 'a'],\n attributes: ['href', 'src', 'loading', 'height', 'width', 'class', 'alt', 'target'],\n};\n\nfetch('https://api.example.com/comments')\n .then(resp =\u003e resp.json())\n .then(comments =\u003e {\n document.querySelector('.comments').append(...comments.map(comment =\u003e {\n const el = document.createElement('div');\n el.setHTML(comment.body, sanitizer);\n return el;\n }));\n });\n```\n\n### Adding to allowed elements / attributes\n\n```js\nimport { elements, attributes } from '@aegisjsproject/sanitizer/config/html.js';\n\nconst sanitizer = {\n elements: ['hello-world', ...elements],\n attributes: ['foo', ...attributes],\n};\n\ndocument.querySelector('.container').setHTML(`\n \u003chello-world foo=\"bar\"\u003e\u003c/hello-world\u003e\n`, sanitizer);\n```\n\n### Enforce Sanitization by default (on eg `innerHTML`, where supported)\n\n```js\nif ('trustedTypes' in globalThis) {\n trustedTypes.createPolicy('default', {\n createHTML(input) {\n const el = document.createElement('div');\n el.setHTML(input);\n return el.innerHTML;\n }\n });\n}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faegisjsproject%2Fsanitizer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faegisjsproject%2Fsanitizer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faegisjsproject%2Fsanitizer/lists"}