script_sanitizer.js

A simple npm library to remove script tags but keep other html

Installation

• NPM: npm install script_sanitize
• CDN: https://cdn.rawgit.com/eperegrine/script_sanitizer.js/master/dist/script_sanitize.min.js
• Repo: dist/script_sanitize.js
• Repo Minified: dist/script_sanitize.min.js

Documention

https://doclets.io/eperegrine/script_sanitizer.js/master

Usage

If on Node.js

const script_sanitize = require('../script_sanitize');
var sanitize = script_sanitize.sanitize;

If on a website

<script href="https://cdn.rawgit.com/eperegrine/script_sanitizer.js/master/dist/script_sanitize.min.js"></script>
<script type="text/javascript">
  var sanitize = script_sanitize.sanitize;
</script>

The method is defined as

sanitize(html, options (optional))

and can be used like so

var sanitized = sanitize("<h1>Hello</h1><script>alert('hi')</script>");
//=> <h1>Hello</h1>

var sanitizedWithReplacment = sanitize("<h1>Hello</h1><script>alert('hi')</script>", { replacementText: "no" });
//=> <h1>Hello</h1>no

Attributes

The default attributes are stored in an array which can be refrenced like:

var attrArray = script_sanitize.defaultAttributes;

and if you wanted to make an attribute exempt you could apply it like so

thanks stack overflow

var newAttrArray = script_sanitize.defaultAttributes;
var exemptIndex = newAttrArray.indexOf("onclick");
newAttrArray.splice(exmptIndex, 1);
sanitize("[HTML STUFF]", { attributes: newAttrArray });

The options parameter

Utils

License

MIT

Disclaimer

The code uses regex, which has been sourced from here The regex is: /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script\s*>/gi

Although this library will likely be used for security purposes I, the developer, am not responsible if this pacakge doesn't meet your security requirements so use with caution