Hướng dẫn sanitize html react
This is slightly modified version of
If a tag is not permitted, the contents of the tag are still kept, except for The syntax of poorly closed
HTML comments are not preserved. Requirements
How to useBrowserThink first: why do you want to use it in the browser? Remember, servers must never trust browsers. You can't sanitize HTML for saving on the server anywhere else but on the server. But, perhaps you'd like to display sanitized HTML immediately in the browser for preview. Or ask the browser to do the sanitization work on every page load. You can if you want to!
You'll find the minified and unminified versions of sanitize-html (with all its dependencies included) in the dist/ directory. Use it in the browser:
You can also allow a scheme for a particular tag only:
Discarding the entire contents of a disallowed tagNormally, with a few exceptions, if a tag is not allowed, all of the text within it is preserved, and so are any allowed tags within it. The exceptions are:
If you wish to expand this list, for instance to discard whatever is found inside a
Note that if you use this option you are responsible for stating the entire list. This gives you the power to
retain the content of The content still gets escaped properly, with the exception of the Changelog1.13.0: 1.12.0: option to build for browser-side use. Thanks to Michael Blum. 1.11.4:
fixed crash when Fixed XSS attack vector via 1.11.3: bumped 1.11.2: fixed README typo that interfered with readability due to markdown issues. No code changes. Thanks to Mikael Korpela. Also improved code block highlighting in README. Thanks to Alex Siman. 1.11.1: fixed a regression introduced in 1.11.0 which caused the closing tag of the parent of a 1.11.0: added the 1.10.1: documentation cleanup. No code changes. Thanks to Rex Schrader. 1.10.0: 1.9.0: 1.8.0:
1.7.2: removed 1.7.1: removed lodash dependency, adding lighter dependencies and polyfills in its place. Thanks to Joseph Dykstra. 1.7.0: introduced 1.6.1: the string 1.6.0: added 1.5.3: do not escape special characters inside a script or style element, if they are allowed. This is consistent with the way browsers parse them; nothing closes them except the appropriate closing tag for the entire element. Of course, this only comes into play if you actually choose to allow those tags. Thanks to aletorrado. 1.5.2: guard checks for allowed attributes correctly to avoid an undefined property error. Thanks to Zeke. 1.5.1: updated to htmlparser2 1.8.x. Started using the 1.5.0: support for 1.4.3: invokes itself recursively until the markup stops changing to guard against this issue. Bump to htmlparser2 version 3.7.x. 1.4.1, 1.4.2: more tests. 1.4.0: ability to allow all attributes or tags through by setting 1.3.0: 1.2.3: fixed another possible XSS attack vector; no definitive exploit was found but it looks possible. See this issue. Thanks to Jim O'Brien. 1.2.2: reject 1.2.1: fixed crashing bug when presented with bad markup. The bug was in the 1.2.0:
1.1.7: use 1.1.6: 1.1.5: just a packaging thing. 1.1.4: custom exclusion filter. 1.1.3: moved to lodash. 1.1.2 pointed to the wrong version of lodash. 1.1.0: the 1.0.3: fixed several more javascript URL attack vectors after studying the XSS filter evasion cheat sheet to better understand my enemy. Whitespace characters (codes from 0 to 32), which browsers ignore in URLs in certain cases allowing the "javascript" scheme to be snuck in, are now stripped out when checking for naughty URLs. Thanks again to pinpickle. 1.0.2: fixed a javascript URL attack vector. naughtyHref must entity-decode URLs and also check for mixed-case scheme names. Thanks to pinpickle. 1.0.1: Doc tweaks. 1.0.0: If the style tag is disallowed, then its content should be dumped, so that it doesn't appear as text. We were already doing this for script tags, however in both cases the content is now preserved if the tag is explicitly allowed. We're rocking our tests and have been working great in production for months, so: declared 1.0.0 stable. 0.1.3: do not double-escape entities in attributes or text. Turns out the "text" provided by htmlparser2 is already escaped. 0.1.2: packaging error meant it wouldn't install properly. 0.1.1: discard the text of script tags. 0.1.0: initial release. About P'unk Avenue and Apostrophe
SupportFeel free to open issues on github. |