https://github.com/eperegrine/script_sanitizer.js
A simple npm library to remove script tags but keep other html
https://github.com/eperegrine/script_sanitizer.js
javascript npm npm-package regex script-sanitizer security security-tools xss xss-prevention
Last synced: 3 months ago
JSON representation
A simple npm library to remove script tags but keep other html
- Host: GitHub
- URL: https://github.com/eperegrine/script_sanitizer.js
- Owner: eperegrine
- License: mit
- Created: 2016-07-23T12:07:20.000Z (almost 10 years ago)
- Default Branch: master
- Last Pushed: 2021-03-26T09:48:22.000Z (over 5 years ago)
- Last Synced: 2025-02-10T01:03:34.805Z (over 1 year ago)
- Topics: javascript, npm, npm-package, regex, script-sanitizer, security, security-tools, xss, xss-prevention
- Language: JavaScript
- Homepage: https://www.npmjs.com/package/script_sanitize
- Size: 516 KB
- Stars: 1
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: License
Awesome Lists containing this project
README
# script_sanitizer.js
A simple npm library to remove script tags but keep other html
[](https://www.npmjs.com/package/script_sanitize)
[](https://travis-ci.org/eperegrine/script_sanitizer.js)
[](https://www.npmjs.com/package/script_sanitize)
[](https://www.npmjs.com/package/script_sanitize)
Installation
===
- NPM: `npm install script_sanitize`
- CDN: https://cdn.rawgit.com/eperegrine/script_sanitizer.js/master/dist/script_sanitize.min.js
- Repo: dist/script_sanitize.js
- Repo Minified: dist/script_sanitize.min.js
Documention
===========
https://doclets.io/eperegrine/script_sanitizer.js/master
Usage
===
If on Node.js
```js
const script_sanitize = require('../script_sanitize');
var sanitize = script_sanitize.sanitize;
```
If on a website
```html
var sanitize = script_sanitize.sanitize;
```
The method is defined as
`sanitize(html, options (optional))`
and can be used like so
```js
var sanitized = sanitize("
Hello
alert('hi')");
//=> Hello
```
```js
var sanitizedWithReplacment = sanitize("
Hello
alert('hi')", { replacementText: "no" });
//=> Hello
no
```
Attributes
--
The default attributes are stored in an array which can be refrenced like:
```js
var attrArray = script_sanitize.defaultAttributes;
```
and if you wanted to make an attribute exempt you could apply it like so
[thanks stack overflow](https://stackoverflow.com/questions/5767325/how-do-i-remove-a-particular-element-from-an-array-in-javascript)
```js
var newAttrArray = script_sanitize.defaultAttributes;
var exemptIndex = newAttrArray.indexOf("onclick");
newAttrArray.splice(exmptIndex, 1);
sanitize("[HTML STUFF]", { attributes: newAttrArray });
```
The options parameter
--
| Option | Description | Default Value |
|---------------------|-----------------------------------------------------------------------------------------|-------------------|
| replacementText | The text to replace the script tag with | "" |
| loop | Whether to replace via looping or a single statement | true |
| replaceEndTagsAfter | In certain cases the ending script tag is still there, this options ensures it won't be | true |
| tags | The tags that should be replaced | ["script"] |
| attributes | The attributes that should be replaced | defaultAttributes |
Utils
--
| Util | Description |
|---------------------------|-------------------------------------------------|
| isDefined | Checks if a variable is defined |
| defaultFor | Sets a default value if a variable is defined |
| generateRegexForTag | Generates a regex object for a tag |
| generateRegexForEndTag | Generates a regex object to check an end tag |
| generateRegexForAttribute | Generates a regex object to check an attribute |
License
===
[MIT](https://opensource.org/licenses/MIT)
Disclaimer
===
The code uses regex, which has been sourced from [here](http://stackoverflow.com/questions/6659351/removing-all-script-tags-from-html-with-js-regular-expression)
The regex is:
`/)<[^<]*)*<\/script\s*>/gi`
Although this library will likely be used for security purposes I, the developer, am not responsible if this pacakge doesn't meet your security requirements so use with caution