Releases: oleksandr-dukhovnyy/purify-html
v1.5.4
Improved Node.js support
- Fixed imports [#2]
- Resolved ReferenceError: DOMParser is not defined issue when used in Node.js
- Removed the need to declare globalThis.self
- Added an error warning when used in Node without a parser installed
Documentation
- Added a section dedicated to usage in Node.js
- Minor improvements
Deprecations
Security
- End of support for versions <=1.5.3. This is due to the move away from the old build system
Other
- Transition from Webpack to Vite
- Update Jest version
Transition from Webpack to Vite
With the move to Vite, several enhancements were introduced to improve Node.js support:
- Elimination of unnecessary builds, streamlining the process and improving import configurations for Node.js
- Accelerated build times for a more efficient development workflow
v1.5.3
- Simplification for cut-out comments tests
- Fixed the comment cutting function: previously all comments were not cut out, but only the first half
- Fixed some errors with types
v1.5.1
ci fixes
v1.4.7
🚀🥳 Migrated to TypeScript!
v1.4.0
Added HTML comments handling
Description of the problem
For example the line: <!-- <img src="x" onerror="alert(1)"> -->.
Technically, inserting it into the DOM will not lead to code execution, but it cannot be considered safe either. The result of the sanitize method is declared to be sanitized using the rules specified when the sanitizer was initialized.
Therefore, you are given the opportunity to control in which places you will leave comments, and in which not.
API
By default, HTML comments are stripped. You can change it like this:
import PurifyHTML from 'purify-html';
const sanitizer = new PurifyHTML(['#comments' /* ... */]);
sanitizer.sanitize(/* ... */);If you want comments to be removed everywhere except for specific tags, then you can specify it like this:
import PurifyHTML from 'purify-html';
const rules = ['#comments', { name: 'div', dontRemoveComments: true }];
const sanitizer = new PurifyHTML(rules);
sanitizer.sanitize(/* ... */);v1.3.5
Increased HTML parsing speed by ~90%!
Previously, a new DOMParser was created for each parsing. The previously created DOMParser instance is now reused.
v1.3.0
CDN here.
Added assembly for browsers and the ability to connect purify-html from CDN (build for connection via script tag: https://unpkg.com/purify-html@latest/dist/index.browser.js).
This link is always up-to-date version of purify-html, but it is recommended to use the latest version compatible with your code. You can do this by specifying the version (as in package.json) in the link: https://unpkg.com/purify-html@^1.3.0/dist/index.browser.js
Ability to connect custom HTML parser
In addition, the ability to use a custom HTML parser instead of DOMParser has been added. The benefits of using DOMParser are detailed at the beginning of the README.MD file. But if DOMParser is clearly not suitable for you, then you can connect any other parser. For example, for use in Node.
In next updates:
- Configuration (output / suppression of logging to the console)
- Ability to add a callback for cases when the sanitizer found unauthorized content. This may be needed for detailed security and health monitoring. For example, to detect attempts to parse XSS vectors by hackers.
- Support for named rule sets.
v1.1.0
Despite the fact that the update is minor, really a lot has been added.
- Fix bug when checking attributes.
- Tests! 100% coverage is the minimum you need to do (and I did). In addition, XSS payloads list, compiled by other cybersecurity researchers, participates in testing.
- Prettier. Added code formatter for codebase consistency.
- Added Babel. So far only for the testing environment, but in the future there will be two builds - for CDN and for NPM.
From API:
- Now you can use strings instead of objects for filtering rules. For example:
import Sanitizer from 'purify-html';
const sanitizer = new Sanitizer([
{ name: 'div' }, // works
'strong', // works too
{ name: 'span', attributes: ['class'] }, // works!
]);This should make the code shorter and more concise.
- Now it is possible to validate the content of attributes.
import Sanitizer from 'purify-html';
const sanitizer = new Sanitizer([
{
name: 'span',
attributes: [
{ name: 'class', value: ['red', 'green'] },
{ name: 'data-id', value: /\d{1,100}/ },
],
},
]);For validation, you can pass the following types in the "value" field:
- Line. Allows only exact matches of the attribute value with the given string.
- An array of strings. Allows an attribute value only if it is equal to one of the strings in the array.
- Regular expression. You can specify a regular expression to validate the contents of an attribute.
- An object. Special rule. So far, only one field is supported -
preset: string. In it you can specify which preset you want to use. In the future, both the ability to add your own presets and more functionality will be added.
IMPORTANT!
To clone a configuration before use, use the structuredClone method. If it is not defined in window, it means that it is not supported and copying is done using JSON.parse(JSON.stringify(obj)). This works well for primitive objects. But if you use regular expressions, then they will not be able to copy correctly when parsing JSON. In other words - some browsers may not support regular expressions in validation fields. When copying a regular expression using JSON, the regular expression is converted to an object, and calling the test method is expected to result in an error and validation will fail.
You might want to consider a polyfill. For example, this one: https://github.com/zloirock/core-js#structuredclone.
If the content of the attribute does not pass the check (and the attribute itself and the tag are allowed), an empty attribute is inserted.
In the next updates
The next updates will add:
- Configuration (output / suppression of logging to the console)
- Ability to add a callback for cases when the sanitizer found unauthorized content. This may be needed for detailed security and health monitoring. For example, to detect attempts to parse XSS vectors by hackers.
- Support for named rule sets.
- Ability to use only those modules that you need.
- Optimization of performance and fault tolerance.
v1.0.1
initial commit