cockblock

Keep your pants on, xss

Usage no npm install needed!

<script type="module">
  import cockblock from 'https://cdn.skypack.dev/cockblock';
</script>

README

cockblock

Simple whitelist-based html sanitizer inspired by the SanitizationFilter in GitHub's html-pipeline library.

Works in node (through cheerio) and in the browser (through jquery), and weighs in ~ 2kb minimized.

API

var cockblock = require("cockblock");
cockblock(html[, options]);     // Returns sanitized html
cockblock.url(url[, options]);  // Returns sanitized url

In the browser, just include jquery and cockblock.js:

<script src="path/to/jquery.js" type="text/javascript"></script>
<script src="path/to/cockblock.js" type="text/javascript"></script>

Options

The library comes with a sensible set of defaults. You can override them through cockblock.defaults or simply pass the options inline.

// Simplified example that only permits <a>, <em> and <strong> elements.
// Titles are permitted on all elements and links can also include href.
// Only absolute http(s) links are permitted.
cockblock.defaults = {
  elements: ["a", "em", "strong"],

  attributes: {
    "a": ["href"],
    "all": ["title"]
  },

  protocols: /^(http|https)/i
};

See lib/cockblock.js for the default set of allowed elements, attributes, and supported protocols.

Contributing

Want to contribute? Great! Open an issue if you've found a bug, and pull requests are always welcome.

git clone https://github.com/kumu/cockblock && cd cockblock
npm install -g mocha
npm install
make test          # run tests within console / cheerio
make test-browser  # run tests within browser / jquery