Skip to content

v1.4.0
Compare
Choose a tag to compare
@oleksandr-dukhovnyy oleksandr-dukhovnyy released this 24 Apr 09:12
· 52 commits to main since this release
1.4.0
a29b60a

Added HTML comments handling

Description of the problem

For example the line: <!-- <img src="x" onerror="alert(1)"> -->.

Technically, inserting it into the DOM will not lead to code execution, but it cannot be considered safe either. The result of the sanitize method is declared to be sanitized using the rules specified when the sanitizer was initialized.

Therefore, you are given the opportunity to control in which places you will leave comments, and in which not.

API

By default, HTML comments are stripped. You can change it like this:

import PurifyHTML from 'purify-html';

const sanitizer = new PurifyHTML(['#comments' /* ... */]);

sanitizer.sanitize(/* ... */);

If you want comments to be removed everywhere except for specific tags, then you can specify it like this:

import PurifyHTML from 'purify-html';

const rules = ['#comments', { name: 'div', dontRemoveComments: true }];
const sanitizer = new PurifyHTML(rules);

sanitizer.sanitize(/* ... */);
Assets 2
Loading