Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/julienetie/xsskillah

A Fast Minimal HTML Sanitizer for the Web
https://github.com/julienetie/xsskillah

cleaner dom parser sanitize sanitizer xss

Last synced: 30 days ago
JSON representation

A Fast Minimal HTML Sanitizer for the Web

Host: GitHub
URL: https://github.com/julienetie/xsskillah
Owner: julienetie
License: mit
Created: 2024-01-20T18:08:49.000Z (11 months ago)
Default Branch: main
Last Pushed: 2024-03-31T18:32:11.000Z (9 months ago)
Last Synced: 2024-08-03T22:23:16.365Z (4 months ago)
Topics: cleaner, dom, parser, sanitize, sanitizer, xss
Language: JavaScript
Homepage:
Size: 182 KB
Stars: 3
Watchers: 2
Forks: 0
Open Issues: 13
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

jimsghstars - julienetie/xsskillah - A Fast Minimal HTML Sanitizer for the Web (JavaScript)

README

# XssKillah (Work in Progress)

## A Fast Minimal DOM-based HTML Sanitizer

XssKillah is a lightweight and fast HTML sanitizer designed for securing components and content delivery. While it comes with opinionated defaults for high protection, it offers flexibility for various real-world use cases.

### Features

- **2.11KB minified** | **957 bytes** _(brotli)_
- Minimal allowed markup by default for enhanced security
- Fast _(Outperforms generic sanitizers like DomPurify and Sanitize-HTML)_
- Sanitizes against a real DOM (not RegEx)
- Cleans dangerous URLs
- No need for escaping _(Textual content is encapsulated in Text-nodes)_
- Whitelist opt-in for dangerous tags, attributes, and known vulnerable combinations

### Philosophy

XssKillah follows a highly opinionated approach by justifiably disallowing vulnerable tags and attributes that fall outside of common working scopes.
This minimalistic design keeps XssKillah small, ensuring fast performance. It offers clarity, allowing you to understand the risks as you enable specific features.

#### Filtered tags
By default, the following tags are ignored and should be explicitly opted-in, preferably at a component level using the allowTags option.
- script
- iframe
- object
- embed
- meta
- base
- style
- canvas
- link
- marquee
- applet
- frame
- frameset

#### Inactive Scripts
Scripts are inactive by default, but can be made active in a safe manner by the use of `xssKillah.makeAlive()`. _(script needs to be included using allowTags)_

#### Text Nodes
Escaping is not necessary since text is written to the sandbox DOM first. Consequently, XssKillah only requires processing of element tags and their content enclosed within.

#### Iframes
The iframe src atttribute is sanitized. The implementor (You or your team) are responsible for ensuring the source of the iframe is trustworthy.

### Restrictions
In theory, there are no restrictions on what can be rendered. XssKillah is an opt-in sanitizer.

### API

The API details are still a work in progress and will be announced soon.

### License

### Contributions
- Artwork by [超恶男子](https://pngtree.com/%E8%B6%85%E6%81%B6%E7%94%B7%E5%AD%90_28086239?type=1)