-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsafe-html.js
84 lines (79 loc) · 2.79 KB
/
safe-html.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
var parse5 = require('parse5');
var _ = require('underscore');
function escapeHtml(s) {
return s.replace(/\&/g, '&').replace(/</g, '<').replace(/\>/g, '>').replace(/\"/g, '"');
}
module.exports = function sanitize(html, config) {
config = _.defaults({}, config, module.exports.DEFAULT_CONFIG);
var allowedTags = _.indexBy(config.allowedTags, _.identity);
var _fragments = [];
var output = function (strings) {
_fragments.push(strings.join(""));
};
var dropContents = 0;
var parser = new parse5.SimpleApiParser({
startTag: function(tagName, attrs, selfClosing /*, [location] */) {
if (_.has(allowedTags, tagName)) {
if (dropContents) {
return;
}
output(["<",tagName]);
_.each(attrs, function (a) {
var name = a.name, value = a.value;
if (_.has(config.allowedAttributes, name)) {
var attributeInfo = config.allowedAttributes[name];
if ((!attributeInfo.allowedTags && attributeInfo.allTags) ||
(attributeInfo.allowedTags && _.contains(attributeInfo.allowedTags, tagName))) {
if (attributeInfo.filter) {
// Filter function can return null to block the
// attribute altogether
value = attributeInfo.filter(value);
}
if (value != null) {
output([" ", name, '="', escapeHtml(value), '"']);
}
}
}
});
output([">"]);
} else if (_.contains(config.dropContents, tagName) && !selfClosing) {
dropContents++;
}
},
endTag: function(tagName /*, [location] */) {
if (_.has(allowedTags, tagName)) {
output(["</", tagName, ">"]);
} else if (_.contains(config.dropContents, tagName)) {
dropContents--;
}
},
text: function(text /*, [location] */) {
if (!dropContents) {
output([escapeHtml(text)]);
}
}
});
parser.parse(html);
return _fragments.join('');
};
module.exports.DEFAULT_CONFIG = {
allowedTags: [ 'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol', 'nl', 'li', 'b', 'i', 'strong', 'em', 'strike', 'code', 'hr', 'br', 'div', 'table', 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre' ],
allowedAttributes: {
'class': {
allTags: true
},
href: {
allowedTags: ["a"],
filter: function (value) {
// Only let through absolute http, mailto and tel urls by default
if ((/^(https?|mailto|tel):/i).exec(value)) {
return value;
}
}
}
},
// Drop contents of these tags if they're not in the allowed list
// (the default is to drop the tag but keep the contents). Tags in
// here that are also in allowedTags are ignored.
dropContents: ["script", "style", "head", "title"]
};