{"id":13514433,"url":"https://github.com/jitbit/HtmlSanitizer","last_synced_at":"2025-03-31T03:30:46.659Z","repository":{"id":38096040,"uuid":"166411058","full_name":"jitbit/HtmlSanitizer","owner":"jitbit","description":"Fast JavaScript HTML Sanitizer, client-side (i.e. needs a browser, won't work in Node and other backend)","archived":false,"fork":false,"pushed_at":"2025-03-14T20:27:25.000Z","size":70,"stargazers_count":151,"open_issues_count":4,"forks_count":33,"subscribers_count":15,"default_branch":"master","last_synced_at":"2025-03-28T06:58:26.258Z","etag":null,"topics":["sanitize","sanitize-html","sanitizer"],"latest_commit_sha":null,"homepage":"https://www.jitbit.com","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jitbit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-01-18T13:41:26.000Z","updated_at":"2025-03-14T20:27:29.000Z","dependencies_parsed_at":"2024-01-14T19:14:19.601Z","dependency_job_id":"e88dbe51-98f3-4869-a221-82fd339fb2f0","html_url":"https://github.com/jitbit/HtmlSanitizer","commit_stats":{"total_commits":71,"total_committers":2,"mean_commits":35.5,"dds":"0.014084507042253502","last_synced_commit":"2b4b4f353a91dba3f67d7afb6dc8c3ec97a20497"},"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jitbit%2FHtmlSanitizer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jitbit%2FHtmlSanitizer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jitbit%2FHtmlSanitizer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jitbit%2FHtmlSanitizer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jitbit","download_url":"https://codeload.github.com/jitbit/HtmlSanitizer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246413377,"owners_count":20773053,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["sanitize","sanitize-html","sanitizer"],"created_at":"2024-08-01T05:00:56.200Z","updated_at":"2025-03-31T03:30:46.653Z","avatar_url":"https://github.com/jitbit.png","language":"HTML","readme":"# JS Html Sanitizer\n\nClient-side HTML Sanitizer (front-end only, i.e. \"needs a browser\", won't work in `Node`) to prevent XSS and unwanted tags in UGC.\n\n* Very fast (8000 ops/sec)\n* Very small (1.7kb *unminified!*)\n* Zero dependency, vanilla JS, works even in IE (duh)\n\n\u003e Please note: to prevent XSS attacks you should always sanitize input **on the server too**. *Never trust the client!*\n\n### Install\n\n```html\n\u003cscript src=\"https://cdn.jsdelivr.net/npm/@jitbit/htmlsanitizer@latest/HtmlSanitizer.min.js\"\u003e\u003c/script\u003e\n```\n\nor\n\n```\nnpm install @jitbit/htmlsanitizer\n```\n(simply puts the script into `/node_modules`)\n\n### Usage:\n\n```html\n\u003cscript\u003e\n    var html;\n    \n    //run with default settings\n    html = HtmlSanitizer.SanitizeHtml(\"\u003cdiv\u003e\u003cscript\u003ealert('xss!');\u003c/sc\" + \"ript\u003e\u003c/div\u003e\"); //returns \"\u003cdiv\u003e\u003c/div\u003e\";\n    html = HtmlSanitizer.SanitizeHtml(\"\u003ca onclick=\\\"alert('xss')\\\"\u003e\u003c/a\u003e\"); //returns \"\u003ca\u003e\u003c/a\u003e\";\n    html = HtmlSanitizer.SanitizeHtml(\"\u003ca href=\\\"javascript:alert('xss')\\\"\u003e\u003c/a\u003e\"); //returns \"\u003ca\u003e\u003c/a\u003e\";\n    \n    //permanently allow a tag for all future invocations\n    HtmlSanitizer.AllowedTags['FORM'] = true;\n    html = HtmlSanitizer.SanitizeHtml(\"\u003cform\u003e\u003c/form\u003e\"); //returns \"\u003cform\u003e\u003c/form\u003e\";\n    \n    //allow somthing only once by specifying a selector\n    html = HtmlSanitizer.SanitizeHtml(\"\u003cinput type=checkbox\u003e\", \"input[type=checkbox]\"); //returns \"\u003cinput type=\\\"checkbox\\\"\u003e\";\n\u003c/script\u003e\n```\n\nThe sanitizer uses [whitelisting](https://en.wikipedia.org/wiki/Whitelisting) approach (as opposed to \"blacklisting\") to clean out everything that's not allowed.\n\n## Speed \u0026 Benchmarks\n\nIt uses browser/DOM to parse the html by using `DOMParser` object (hence the browser \"front-end only\" requirement) which makes it **much faster** than \"pure JavaScript\" sanitizers.\n\nTested on `https://www.bbc.co.uk` homepage - the page is sanitized **~370 times per second** on an i5 core CPU in Firefox Quantum (tested via `benchmark.js`)\n\nComparing HtmlSanitizer vs DOMPurify benchmark:\n\n```\nstarting benchmark...\nHtmlSanitizer x 8,048 ops/sec ±3.37% (44 runs sampled)\nDOMPurify x 5,195 ops/sec ±3.30% (57 runs sampled)\nFastest is HtmlSanitizer\n```\n\n## Tags allowed by default\n\n`a, abbr, b, blockquote, body, br, center, code, div, em, font, h1, h2, h3, h4, h5, h6, hr, i, img, label, li, ol, p, pre, small, source, span, strong, table, tbody, tr, td, th, thead, ul, u, video`\n\n## Attributes allowed by default\n\n`align, color, controls, height, href, src, style, target, title, type, width`\n\n## CSS styles allowed by default\n\n`color, background-color, font-size, text-align, text-decoration, font-weight`\n\n## Schemas allowed by default\n\n`http:, https:, data:, m-files:, file:, ftp:, mailto:, pw:`\n\n(allowed in 'src', 'href' and similar \"uri-attributes\". To clean up stuff like `\u003ca href='javascript:alert()'\u003e\u003c/a\u003e`)\n\n## Configuring\n\nAllowed tags, attributes, schemas and styles are listed in `AllowedTags`, `AllowedAttributes`, `AllowedSchemas` and `AllowedCssStyles` public properties. To disallow a tag remove it from the dictionary like this:\n\n```javascript\ndelete HtmlSanitizer.AllowedTags['TABLE']; //mind the uppercase\n```\n\nTo add an allowed tag globally:\n\n```javascript\nHtmlSanitizer.AllowedTags['SCRIPT'] = true; //mind the uppercase\n```\n\nTo allow an extra tag only once during invocation - specify extra selector to allow in the second parameter\n\n```javascript\nvar html = HtmlSanitizer.SanitizeHtml(\"\u003cinput type=checkbox\u003e\", \"input[type=checkbox]\");\n```\n\n## Browser support\n\nSupported by all major browsers, IE10 and higher.\n\n## BUT WHY?\n\n\u003e Why create a front-end HTML sanitizer if the input has to be sanitized on the server anyway?\n\nUsers often copy-paste awful HTML generated by MS Word, MS Outlook or Apple Mail that needs a clean-up. Or you need to remove excessive formatting in an WYSIWYG editor. Or you need to display an (ugly) email message in a (beatuful) mobile app. Or (my favorite) you simply need to ease the load in the server-side sanitizer. And many many other use-cases.\n\n\n\u0026copy; [Jitbit](https://www.jitbit.com/)\n","funding_links":[],"categories":["HTML"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjitbit%2FHtmlSanitizer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjitbit%2FHtmlSanitizer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjitbit%2FHtmlSanitizer/lists"}