A simple npm library to remove script tags but keep other html
- NPM:
npm install script_sanitize - CDN: https://cdn.rawgit.com/eperegrine/script_sanitizer.js/master/dist/script_sanitize.min.js
- Repo: dist/script_sanitize.js
- Repo Minified: dist/script_sanitize.min.js
https://doclets.io/eperegrine/script_sanitizer.js/master
If on Node.js
const script_sanitize = require('../script_sanitize');
var sanitize = script_sanitize.sanitize;If on a website
<script href="https://cdn.rawgit.com/eperegrine/script_sanitizer.js/master/dist/script_sanitize.min.js"></script>
<script type="text/javascript">
var sanitize = script_sanitize.sanitize;
</script>The method is defined as
sanitize(html, options (optional))
and can be used like so
var sanitized = sanitize("<h1>Hello</h1><script>alert('hi')</script>");
//=> <h1>Hello</h1>var sanitizedWithReplacment = sanitize("<h1>Hello</h1><script>alert('hi')</script>", { replacementText: "no" });
//=> <h1>Hello</h1>noThe default attributes are stored in an array which can be refrenced like:
var attrArray = script_sanitize.defaultAttributes;and if you wanted to make an attribute exempt you could apply it like so
var newAttrArray = script_sanitize.defaultAttributes;
var exemptIndex = newAttrArray.indexOf("onclick");
newAttrArray.splice(exmptIndex, 1);
sanitize("[HTML STUFF]", { attributes: newAttrArray });| Option | Description | Default Value |
|---|---|---|
| replacementText | The text to replace the script tag with | "" |
| loop | Whether to replace via looping or a single statement | true |
| replaceEndTagsAfter | In certain cases the ending script tag is still there, this options ensures it won't be | true |
| tags | The tags that should be replaced | ["script"] |
| attributes | The attributes that should be replaced | defaultAttributes |
| Util | Description |
|---|---|
| isDefined | Checks if a variable is defined |
| defaultFor | Sets a default value if a variable is defined |
| generateRegexForTag | Generates a regex object for a tag |
| generateRegexForEndTag | Generates a regex object to check an end tag |
| generateRegexForAttribute | Generates a regex object to check an attribute |
The code uses regex, which has been sourced from here
The regex is:
/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script\s*>/gi
Although this library will likely be used for security purposes I, the developer, am not responsible if this pacakge doesn't meet your security requirements so use with caution