sanitize-html
DOMPurify
Our great sponsors
sanitize-html | DOMPurify | |
---|---|---|
3 | 35 | |
3,318 | 11,109 | |
1.0% | - | |
8.7 | 9.0 | |
13 days ago | 4 days ago | |
JavaScript | JavaScript | |
MIT License | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
sanitize-html
-
Add Mastodon replies to your blog
One thing to watch out for is that the content of each reply is HTML. To be safe (paranoid), I'm running the HTML through sanitize-html to make sure nobody can inject sketchy HTML into my site.
-
Made an IMDB application using the TMDB API. The design is a bit similar to what you find on a streaming website. I made this with HTML, SCSS & Vanilla JS. Tips, feedback & suggestions would be greatly appreciated.
Don't forget to sanitize your HTML using https://github.com/apostrophecms/sanitize-html or upcoming feature: https://developer.mozilla.org/en-US/docs/Web/API/HTML_Sanitizer_API because https://nimb.ws/leTXDt
-
How To Parse and Render Markdown In Vuejs
Vue does not have as much support for Vue as there is for React. Examples are markdown-it, Remark.js, marked.js. But hopefully in the future, there should be more support, and after much research, I picked marked.js because it has the most stars and has zero vulnerability. Marked does not sanitize (meaning it does not secure HTML documents from attacks like cross-site scripting (XSS) ) marked output HTML as that feature is deprecated and has vulnerability but however, it supports the use of other libraries to secure output HTML such as DOMPurify (recommended), sanitize-html or insane.
DOMPurify
-
Six security risk of user input in ruby code
If you're using an external view engine, or a javascript framework like react in addition to your ruby backend, you can rely on similar sanitization methods like the DOMPurify library.
-
Wat
You shouldn't roll your own for this. From what I've had to do web-wise, here's a few tools.
First, for the APIs, you need documentation: https://swagger.io/
From which you can generate JSON schemas and use those to validate in the browser and on the backend. https://www.npmjs.com/package/jsonschema
As well you should be writing a few more schemas for your application state and leverage the regex validation of your input components...
Speaking of which, you also need to sanitize out some potentially nasty input. https://www.npmjs.com/package/dompurify
Obviously this isn't everything and not perfect, but a lot of this tedium can be automated away if you have a few good examples of the happy path and some basic tests in place to prevent quick and dirty changes from poking holes in these layers.
-
Alternatives to dangerouslySetInnerHTML
Use DOMPUrify. That plus dangerouslySetInnerHTML and you're good to go.
-
Improving Render Performance in React
element. Note that using dangerouslySetInnerHTML may leave your site vulnerable to XSS attacks. In order to mitigate this risk, we need to sanitize the HTML before we inject it. We'll use DOMPurify for that task. import React, { Component } from 'react'; import marked from 'marked'; import * as DOMPurify from 'dompurify'; class UserProfile extends Component { constructor (props) { super(props); } render () { const { userId, name, skills = [] } = this.props; return ( {name} ({userId}) Skills {skills.map((skill) => ( {skill.name} ))} ); } } Enter fullscreen mode Exit fullscreen mode To recap, our process is: Parse the skill description markdown to HTML Sanitize the HTML Inject the HTML into a element If we think through this process in the context of the component render cycle, we can see how it could have a negative effect on performance: Perform two potentially expensive tasks in series (markdown parsing and HTML sanitization) Perform those tasks in a loop, which is also executed in series Repeat every time the component renders We can't do much about the first and second issues — we have to parse the markdown, sanitize the resulting HTML and render it — but we can avoid the third issue. Why render if nothing has changed? Here is an updated version of the previous example that uses shouldComponentUpdate to block the component from rendering unless the userId prop has changed: import React, { Component } from 'react'; import marked from 'marked'; import * as DOMPurify from 'dompurify'; class UserProfile extends Component { constructor (props) { super(props); } shouldComponentUpdate (nextProps) { return nextProps.userId !== this.props.userId; } render () { const { userId, name, skills = [] } = this.props; return ( {name} ({userId}) Skills {skills.map((skill) => ( {skill.name} ))} ); } } Enter fullscreen mode Exit fullscreen mode We're comparing the userId prop because it's a simple equality comparison that will tell us when the user has changed. You might be tempted to try to perform a deep equality comparison of the skills array instead, but that will likely create a worse performance issue than the one we're trying to solve. shouldComponentUpdate is intended to be used for performance optimization but should be used carefully and sparingly. Blocking a component from rendering can cause bugs in descendant components that can be difficult to fix, and there are usually better ways to improve performance. Reducing the rendering workload In the previous example, we tried to mitigate a potential performance problem by blocking a component from rendering. That was the wrong solution to take because it didn't address the real problem. The real problem isn't that we're allowing the component to render when it doesn't have to, it's that we're doing too much work in the render cycle. Therefore, the correct solution is not to block rendering entirely, but to reduce the amount of work we do while rendering. Option 1: Store preprocessed data on state One way of reducing the workload is to run the expensive process only when inputs change and store the results on state. This is simple and doesn't interfere with the render cycle. It works equally well in both class and functional components. Class component The following example updates our previous examples to preprocess the user's skills and store them on state, instead of reading directly from props in the render cycle. The preprocessing logic has been moved into the processSkills function, which is called in two places: componentDidMount, where it will run before the initial render; and componentDidUpdate, where it will run when the value of the userId prop changes. If the component renders for any other reason, it will continue to use the preprocessed data from state at no additional cost. import React, { Component } from 'react'; import marked from 'marked'; import * as DOMPurify from 'dompurify'; const processSkills = (skills = []) => { return skills.map((skill) => ({ ...skill, htmlDescription: DOMPurify.sanitize(marked.parse(skill.description)), })); }; class UserProfile extends Component { constructor (props) { super(props); this.state = { processedSkills: [], }; } componentDidMount () { this.setState({ processedSkills: processSkills(this.props.skills), }); } componentDidUpdate (prevProps) { if (this.props.userId !== prevProps.userId) { this.setState({ processedSkills: processSkills(this.props.skills), }); } } render () { const { userId, name } = this.props; const { processedSkills = [] } = this.state; return ( {name} ({userId}) Skills {processedSkills.map((skill) => ( {skill.name} ))} ); } } Enter fullscreen mode Exit fullscreen mode Functional component (hooks) The functional component produces the same result as the class component, but is more concise. The useEffect hook calls processSkills with the skills array from props when the value of the userId prop changes. The resulting array is stored on state and used to render the skills list. import React, { useState, useEffect } from 'react'; import marked from 'marked'; import * as DOMPurify from 'dompurify'; const processSkills = (skills = []) => { return skills.map((skill) => ({ ...skill, htmlDescription: DOMPurify.sanitize(marked.parse(skill.description)), })); }; const UserProfile = (props) => { const { userId, name, skills = [] } = this.props; const [ processedSkills, setProcessedSkills ] = useState([]); useEffect( () => setProcessedSkills(processSkills(skills)), [userId] ); return ( {name} ({userId}) Skills {processedSkills.map((skill) => ( {skill.name} ))} ); } Enter fullscreen mode Exit fullscreen mode Option 2: Memoize preprocessed data Another option is to memoize (not memorize) the results of the process. Memoization is a form of in-memory caching. We're only going to discuss this in the context of functional components where we can use the useMemo hook provided by React, but you may be able to achieve similar results in a class component using a third-party helper. In this example, the useMemo hook is called on every render. On the initial render and any time the userId prop is updated, useMemo returns the result of calling processSkills with the skills array. If the userId prop hasn't changed since the last render, useMemo returns the previously cached result. import React, { useMemo } from 'react'; import marked from 'marked'; import * as DOMPurify from 'dompurify'; const processSkills = (skills = []) => { return skills.map((skill) => ({ ...skill, htmlDescription: DOMPurify.sanitize(marked.parse(skill.description)), })); }; const UserProfile = (props) => { const { userId, name, skills = [] } = this.props; const processedSkills = useMemo( () => processSkills(skills), [userId] ); return ( {name} ({userId}) Skills {processedSkills.map((skill) => ( {skill.name} ))} ); } Enter fullscreen mode Exit fullscreen mode Which option should I choose? If you're working with class components, I suggest preprocessing and storing data on state unless you think you have a strong use case for integrating a memoization helper (e.g. you need memoization throughout your app, not just in one or two places). In functional components, memoization offers the same benefit as preprocessing and storing the result on state without having to maintain state. However, it isn't guaranteed to be predictable. From the React docs: You may rely on useMemo as a performance optimization, not as a semantic guarantee. In the future, React may choose to “forget” some previously memoized values and recalculate them on next render, e.g. to free memory for offscreen components. Write your code so that it still works without useMemo — and then add it to optimize performance. Storing data on state may be a better choice if the predictability of your performance optimizations is critical to your application. In many, if not most cases it won't be critical, and memoization will likely be the cleanest and simplest way to improve render performance.
-
Ask HN: Is it time for a new Storybook?
Coupled with DOMPurify [0], it helps much to simplify the messy JavaScript, HTML. Yin [1] has book on that.
-
How I Made My Portfolio with Next.js
You need to install dompurify. DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML and SVG. This is the optional step.
-
Storing Rich Text from ReactJS Editor
I'm assuming JavaScript (or TypeScript) is the desired language here as you're using React. DOMPurify would work client-side and also with Nodejs if you have a JS backend that you use to to interact with Postgres (which would naturally be safer place to handle the sanitation compared to client-side). To be extra cautious, sanitising the user input both when writing and printing would be done
-
Displaying WYSIWYG editor's output with React
https://www.npmjs.com/package/dompurify or similar libraries can actually do the escaping themselves, but you will be able to set what tags you allow or what not to allow. The list of allowed tags needs to be similar to what you allow in the CKEditor. By using this library to sanitize the input, you will be able to actually use dangerouslySetHtml without issues
-
is it recomended to use html templates instead of .innerHTML
DOMPurify
-
Do you trust the Obsidian company?
DOMPurify [Apache 2.0] or [Mozilla 2.0] https://cure53.de/purify
What are some alternatives?
js-xss - Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist
HtmlSanitizer - Cleans HTML to avoid XSS attacks
xss-filters
Next.js - The React Framework
Retire.js - scanner detecting the use of JavaScript libraries with known vulnerabilities. Can also generate an SBOM of the libraries it finds.
Themis - Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.
isomorphic-dompurify - Use DOMPurify on server and client in the same way
SuperTokens Community - Open source alternative to Auth0 / Firebase Auth / AWS Cognito
Thymeleaf - Thymeleaf is a modern server-side Java template engine for both web and standalone environments.
marked - A markdown parser and compiler. Built for speed.