Skip to content

v1.1.0
Compare
Choose a tag to compare
@oleksandr-dukhovnyy oleksandr-dukhovnyy released this 11 Dec 17:23
· 84 commits to main since this release
v1.1.0
147638b

Despite the fact that the update is minor, really a lot has been added.

  • Fix bug when checking attributes.
  • Tests! 100% coverage is the minimum you need to do (and I did). In addition, XSS payloads list, compiled by other cybersecurity researchers, participates in testing.
  • Prettier. Added code formatter for codebase consistency.
  • Added Babel. So far only for the testing environment, but in the future there will be two builds - for CDN and for NPM.

From API:

  • Now you can use strings instead of objects for filtering rules. For example:
import Sanitizer from 'purify-html';

const sanitizer = new Sanitizer([
  { name: 'div' }, // works
  'strong', // works too
  { name: 'span', attributes: ['class'] }, // works!
]);

This should make the code shorter and more concise.

  • Now it is possible to validate the content of attributes.
import Sanitizer from 'purify-html';

const sanitizer = new Sanitizer([
  {
    name: 'span',
    attributes: [
      { name: 'class', value: ['red', 'green'] },
      { name: 'data-id', value: /\d{1,100}/ },
    ],
  },
]);

For validation, you can pass the following types in the "value" field:

  • Line. Allows only exact matches of the attribute value with the given string.
  • An array of strings. Allows an attribute value only if it is equal to one of the strings in the array.
  • Regular expression. You can specify a regular expression to validate the contents of an attribute.
  • An object. Special rule. So far, only one field is supported - preset: string. In it you can specify which preset you want to use. In the future, both the ability to add your own presets and more functionality will be added.

IMPORTANT!
To clone a configuration before use, use the structuredClone method. If it is not defined in window, it means that it is not supported and copying is done using JSON.parse(JSON.stringify(obj)). This works well for primitive objects. But if you use regular expressions, then they will not be able to copy correctly when parsing JSON. In other words - some browsers may not support regular expressions in validation fields. When copying a regular expression using JSON, the regular expression is converted to an object, and calling the test method is expected to result in an error and validation will fail.
You might want to consider a polyfill. For example, this one: https://github.com/zloirock/core-js#structuredclone.

If the content of the attribute does not pass the check (and the attribute itself and the tag are allowed), an empty attribute is inserted.

In the next updates

The next updates will add:

  • Configuration (output / suppression of logging to the console)
  • Ability to add a callback for cases when the sanitizer found unauthorized content. This may be needed for detailed security and health monitoring. For example, to detect attempts to parse XSS vectors by hackers.
  • Support for named rule sets.
  • Ability to use only those modules that you need.
  • Optimization of performance and fault tolerance.
Assets 2
Loading