Awesome
striptags
An implementation of PHP's strip_tags in Typescript.
Note: this is a total rewrite from v3, and as such, is currently in an alpha state. Feel free to use this during the alpha period and provide feedback before it is released as v4.
Highlights
- No dependencies
- Prevents XSS by default
Installing
npm install striptags@alpha
Basic Usage
striptags(text: string, options?: Partial<StateMachineOptions>): string;
Examples
// commonjs
const striptags = require("striptags").striptags;
// alternatively, as an es6 import
// import { striptags } from "striptags";
var html = `
<a href="https://example.com">lorem ipsum <strong>dolor</strong> <em>sit</em> amet</a>
`.trim();
console.log(striptags(html));
console.log(striptags(html, { allowedTags: new Set(["strong"]) }));
console.log(striptags(html, { tagReplacementText: "🍩" }));
Outputs:
lorem ipsum dolor sit amet
lorem ipsum <strong>dolor</strong> sit amet
🍩lorem ipsum 🍩dolor🍩 🍩sit🍩 amet🍩
Advanced Usage
class StateMachine {
constructor(partialOptions?: Partial<StateMachineOptions>);
consume(text: string): string;
}
The StateMachine
class is similar to the striptags
function, but persists state across calls to consume()
so that you may safely pass in a stream of text. For example:
// commonjs
const StateMachine = require("striptags").StateMachine;
// alternatively, as an es6 import
// import { StateMachine } from "striptags";
const instance = new StateMachine();
console.log(instance.consume("some text with <a") + instance.consume("tag>and more text"));
Outputs:
some text with and more text
Safety
striptags
is safe to use by default; the output is guaranteed to be free of potential XSS vectors if used as text within a tag. Specifying either allowedTags
or disallowedTags
in the options argument removes this guarantee, however. For example, a malicious user may achieve XSS via an attribute in an allowed tag: <img onload="alert(1);">
.
In addition, striptags
will automatically HTML encode <
and >
characters followed by whitespace. While most browsers tested treat <
or >
followed by whitespace as a non-tag string, it is safer to escape the characters. You may change this behavior via the encodePlaintextTagDelimiters
option described below.
Partial<StateMachineOptions>
allowedTags?: Set<string>
A set containing a list of tag names to allow (e.g. new Set(["tagname"])
). Tags not in this list will be removed. This option takes precedence over the disallowedTags
option.
Default: undefined
disallowedTags?: Set<string>
A set containing a list of tag names to disallow ((e.g. new Set(["tagname"])
). Tags not in this list will be allowed. Ignored if allowedTags
is set.
Default: undefined
tagReplacementText?: string
A string to use as replacement text when a tag is found and not allowed.
Default: ""
encodePlaintextTagDelimiters?: boolean
Setting this option to true will cause <
and >
characters immediately followed by whitespace to be HTML encoded. This is safe to set to false
if the output is expected to be used only as plaintext (i.e. it will not be displayed alongside other HTML).
Default: true