├── .gitignore
├── index.js
├── package.json
├── test
    ├── imgsrc.js
    ├── script.js
    ├── encode.js
    └── analyze.js
├── filters
    └── youtube.js
├── README.md
└── lib
    └── bleach.js


/.gitignore:
--------------------------------------------------------------------------------
1 | node_modules
2 | 


--------------------------------------------------------------------------------
/index.js:
--------------------------------------------------------------------------------
1 | /*
2 |  * bleach
3 |  * a minimal html sanitizer
4 |  * cam@onswipe.com
5 |  */
6 | 
7 | module.exports = require('./lib/bleach.js');
8 | 


--------------------------------------------------------------------------------
/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "author": "Cam Pedersen <cam@onswipe.com> (http://campedersen.com/)",
 3 |   "name": "bleach",
 4 |   "description": "A minimalistic HTML sanitizer",
 5 |   "version": "0.3.0",
 6 |   "homepage": "https://github.com/ecto/bleach/issues",
 7 |   "repository": {
 8 |     "type": "git",
 9 |     "url": "git://github.com/ecto/bleach.git"
10 |   },
11 |   "main": "index.js",
12 |   "engines": {
13 |     "node": "*"
14 |   },
15 |   "dependencies": {
16 |     "he": "0.4.x"
17 |   },
18 |   "devDependencies": {
19 |     "vows": "0.5.x"
20 |   }
21 | }
22 | 


--------------------------------------------------------------------------------
/test/imgsrc.js:
--------------------------------------------------------------------------------
 1 | var vows = require('vows'),
 2 |     assert = require('assert'),
 3 |     bleach = require('../lib/bleach');
 4 | 
 5 | var HTML = '<p>This is an <img src="http://site.com?setting=value&othersetting=othervalue" title="Image" /></p>';
 6 | 
 7 | vows.describe('img src tests').addBatch({
 8 | 
 9 |   'analyze': {
10 |     topic: function () { return HTML; },
11 | 
12 |     'gets the correct img src': function ( html ) {
13 |       var tags = bleach.analyze( html );
14 |       assert.equal( tags[1].attr[0].value, 'http://site.com?setting=value&othersetting=othervalue' );
15 |     }
16 |   }
17 | 
18 | }).export(module);
19 | 


--------------------------------------------------------------------------------
/filters/youtube.js:
--------------------------------------------------------------------------------
 1 | module.exports = function(html) {
 2 |   html = String(html) || '';
 3 | 
 4 |   var match,
 5 |       matches = [],
 6 |       regex   = /<object(.*)src="(http:\/\/www.youtube.com)?\/(v\/([-|~_0-9A-Za-z]+)|watch\?v\=([-|~_0-9A-Za-z]+)&?.*?).*<\/object>/gi;
 7 | 
 8 |   while (match = regex.exec(html)) {
 9 |     matches.push(match);
10 |   } delete match;
11 | 
12 |   matches.forEach(function(match){
13 |     var full = match[0],
14 |         id   = match[4];
15 | 
16 |     var rep = '<iframe type="text/html" '
17 |             + 'frameborder="0" '
18 |             + 'scrolling="no" '
19 |             + 'allowfullscreen '
20 |             + 'src="http://youtube.com/embed/' + id + '"></iframe>';
21 | 
22 |     html = html.replace(full, rep);
23 |   });
24 | 
25 |   return html;
26 | }
27 | 
28 | 


--------------------------------------------------------------------------------
/test/script.js:
--------------------------------------------------------------------------------
 1 | var vows = require('vows'),
 2 |     assert = require('assert'),
 3 |     bleach = require('../lib/bleach');
 4 | 
 5 | var HTML1 = 'This is <a href="#html">HTML</a> with a <script>\nvar x = 1;</script>SCRIPT',
 6 |     HTML2 = 'This is <a href="#html">HTML</a> with a SCRIPT',
 7 |     HTML3 = 'This is HTML with a SCRIPT';
 8 | 
 9 | vows.describe('script tests').addBatch({
10 | 
11 |   'whitelist mode': {
12 |     topic: function (){ return HTML1; },
13 | 
14 |     'eliminates script tags but keeps listed tags': function (HTML1){
15 |       var HTML = bleach.sanitize(HTML1, {mode: 'white', list:['a']});
16 |       assert.equal(HTML, HTML2);
17 |     },
18 | 
19 |     'eliminates all tags when given an empty list': function (HTML1){
20 |       var HTML = bleach.sanitize(HTML1, {mode: 'white', list:[]});
21 |       assert.equal(HTML, HTML3);
22 |     }
23 |   }
24 | 
25 | }).export(module);
26 | 


--------------------------------------------------------------------------------
/test/encode.js:
--------------------------------------------------------------------------------
 1 | var vows = require('vows'),
 2 |     assert = require('assert'),
 3 |     bleach = require('../lib/bleach');
 4 | 
 5 | var HTML1 = 'This is <a href="#html">HTML</a> with a <script>\nvar x = 1;</script>SCRIPT',
 6 |     HTML2 = 'This is &lt;a href=&quot;#html&quot;&gt;HTML&lt;/a&gt; with a SCRIPT',
 7 |     HTML3 = 'This is HTML with a SCRIPT';
 8 | 
 9 | vows.describe('encode tests').addBatch({
10 | 
11 |   'whitelist mode': {
12 |     topic: function (){ return HTML1; },
13 | 
14 |     'eliminates script tags but encodes listed tags': function (HTML1){
15 |       var HTML = bleach.sanitize(HTML1, {mode: 'white', list:['a'], encode_entities: true});
16 |       assert.equal(HTML, HTML2);
17 |     },
18 | 
19 |     'eliminates all tags when given an empty list': function (HTML1){
20 |       var HTML = bleach.sanitize(HTML1, {mode: 'white', list:[], encode_entities: true});
21 |       assert.equal(HTML, HTML3);
22 |     }
23 |   },
24 | 
25 |   'blacklist mode': {
26 |     topic: function (){ return HTML1; },
27 | 
28 |     'eliminates listed tags but encodes other tags': function (HTML1){
29 |       var HTML = bleach.sanitize(HTML1, {mode: 'black', list:['script'], encode_entities: true});
30 |       assert.equal(HTML, HTML2);
31 |     }
32 |   }
33 | 
34 | }).export(module);
35 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # bleach
  2 | 
  3 | Sanitize your HTML the easy way!
  4 | 
  5 | ![bleach](http://i.imgur.com/9qSfd.png)
  6 | 
  7 | ## install
  8 | 
  9 |     npm install bleach
 10 | 
 11 | ## test
 12 | 
 13 |     vows --spec test/*
 14 | 
 15 | ## example
 16 | 
 17 | Basic:
 18 | 
 19 | ````javascript
 20 | 
 21 | var bleach = require('bleach');
 22 | 
 23 | var html = bleach.sanitize(aBunchOfHTML);
 24 | 
 25 | console.log(html);
 26 | ````
 27 | 
 28 | Advanced:
 29 | 
 30 | ````javascript
 31 | 
 32 | var bleach = require('bleach');
 33 | 
 34 | var whitelist = [
 35 |   'a',
 36 |   'b',
 37 |   'i',
 38 |   'em',
 39 |   'strong'
 40 | ]
 41 | 
 42 | var options = {
 43 |   mode: 'white',
 44 |   list: whitelist
 45 | }
 46 | 
 47 | var html = bleach.sanitize(aBunchOfHTML, options);
 48 | 
 49 | console.log(html);
 50 | ````
 51 | 
 52 | ## usage
 53 | 
 54 | ### bleach.sanitize(html, options)
 55 | 
 56 | Runs HTML through sanitizer and returns sanitized HTML as string.
 57 | 
 58 | `options` may contain the following optional attributes:
 59 | 
 60 | *   `mode` may be set to `'white'` or `'black'`
 61 | *   `list` is an array containing tags to match against
 62 | 
 63 | `white`mode will remove all tags from `html`, excluding those in `list`
 64 | 
 65 | `black`mode will remove all tags found in `list` that are found in `html`
 66 | 
 67 | ### bleach.analyze(html)
 68 | 
 69 | Will extract all tags from HTML and return an array of JSON objects. Example return:
 70 | 
 71 | ````javascript
 72 | [
 73 |   {
 74 |     full: '<div id="post-119477">',
 75 |     name: 'div',
 76 |     attr: [
 77 |       "id": "post-119477"
 78 |     ]
 79 |   },
 80 |   ...
 81 | ]
 82 | ````
 83 | 
 84 | ### bleach.filter(html, filters)
 85 | 
 86 | SEXY FUN TIME
 87 | 
 88 | ````javascript
 89 | 
 90 | var nyanFilter = function(input){
 91 |   return input.replace('cats', 'nyannyannyan');
 92 | }
 93 | 
 94 | console.log(
 95 |   bleach.filter('cats', nyanFilter)
 96 | );
 97 | 
 98 | // nyannyannyan
 99 | 
100 | ````
101 | 
102 | ````javascript
103 | 
104 | var cutFilter = function(input){
105 |   return input.slice(0, 3);
106 | }
107 | 
108 | console.log(
109 |   bleach.filter('cats', [
110 |     nyanFilter,
111 |     cutFilter
112 |   ])
113 | );
114 | 
115 | // nyan
116 | 
117 | ````
118 | 
119 | You may also define longer filters and include them in the ./node_modules/bleach/filters directory.
120 | A sample filter is included to convert YouTube flash embed objects to iDevice-compatible YouTube iframes.
121 | 
122 | ````javascript
123 | 
124 | var html = '<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="420" height="315" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0"><param name="allowFullScreen" value="true"><param name="allowscriptaccess" value="always"><param name="src" value="http://www.youtube.com/v/aU079Mdkenw?version=3&amp;hl=en_US"><param name="allowfullscreen" value="true"><embed type="application/x-shockwave-flash" width="420" height="315" src="http://www.youtube.com/v/aU079Mdkenw?version=3&amp;hl=en_US" allowscriptaccess="always" allowfullscreen="true" id="s_media_1_0" name="s_media_1_0"></object>';
125 | 
126 | console.log(
127 |   bleach.filter(html, 'youtube')
128 | );
129 | 
130 | // <iframe type="text/html" frameborder="0" scrolling="no" allowfullscreen src="http://youtube.com/embed/aU079Mdkenw"></iframe>
131 | 
132 | ````
133 | 
134 | Refer to the filters directory for the template.
135 | 
136 | ## disclaimer
137 | 
138 | This is not a port of the Python **bleach** library - in fact their implementations are very different.
139 | 
140 | ## license
141 | 
142 | (The MIT License)
143 | 
144 | Copyright (c) 2011 Cam Pedersen <cam@onswipe.com>
145 | 
146 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the 'Software'), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
147 | 
148 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
149 | 
150 | THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
151 | 


--------------------------------------------------------------------------------
/test/analyze.js:
--------------------------------------------------------------------------------
  1 | var vows   = require('vows'),
  2 |     assert = require('assert');
  3 |     bleach = require('../lib/bleach');
  4 | 
  5 | vows.describe('bleach').addBatch({
  6 | 
  7 |   'bleach.analyze(html)': {
  8 |     topic: function(){ return bleach.analyze; },
  9 |     'is a function': function(analyze) {
 10 |       assert.equal(typeof analyze, 'function');
 11 |     },
 12 |     'returns blank array on invalid or missing input': function(analyze) {
 13 |       assert.deepEqual(analyze({}), []);
 14 |       assert.deepEqual(analyze([]), []);
 15 |       assert.deepEqual(analyze(''), []);
 16 |     },
 17 |     'finds self-closing tags': function(analyze){
 18 |       assert.ok(analyze('<input type="text" />').length > 0);
 19 |     },
 20 |     'returns an array': function(analyze) {
 21 |       assert.isArray(analyze(' '));
 22 |     },
 23 |     'extracts attributes': function(analyze){
 24 |       assert.equal(analyze('<input type="text"></input>')[0].attr[0], { name: 'type', value: '"text"' }.toString());
 25 |     }
 26 |   },
 27 | 
 28 |   'bleach.sanitize(html, options)': {
 29 |     topic: function(){ return bleach.sanitize; },
 30 |     'is a function': function(sanitize) {
 31 |       assert.equal(typeof sanitize, 'function');
 32 |     },
 33 |     'does not require options to be passed in': function(sanitize){
 34 |       assert.doesNotThrow(function(){
 35 |         sanitize(' ');
 36 |       }, Error);
 37 |     },
 38 |     'returns a string': function(sanitize) {
 39 |       assert.isString(sanitize(' '));
 40 |     },
 41 |     'returns blank string on invalid or missing input': function(analyze) {
 42 |       assert.isString(analyze({}));
 43 |       assert.isString(analyze([]));
 44 |       assert.isString(analyze(''));
 45 |     },
 46 |     'whitelist is respected': function(sanitize){
 47 |       var whitelist = ['br'],
 48 |           input     = '<html><body><p>hello<br />world!</p></body></html><script type="text/javascript" />',
 49 |           output    = 'hello<br />world!',
 50 |           outcome   = sanitize(input, { list: whitelist });
 51 | 
 52 |       assert.equal(output, outcome);
 53 |     },
 54 |     'blacklist is respected': function(sanitize){
 55 |       var blacklist = ['html', 'body'],
 56 |           input     = '<html><body><p>hello<br />world!</p></body></html>',
 57 |           output    = '<p>hello<br />world!</p>',
 58 |           options   = {
 59 |             mode: 'black',
 60 |             list: blacklist
 61 |           },
 62 |           outcome = sanitize(input, options);
 63 | 
 64 |       assert.equal(output, outcome);
 65 |     },
 66 | 
 67 |   },
 68 | 
 69 |   'bleach.filter(html)': {
 70 |     topic: function(){ return bleach.filter; },
 71 |     'is a function': function(filter) {
 72 |       assert.equal(typeof filter, 'function');
 73 |     },
 74 |     'allows array or string to be passed in': function(filter){
 75 |       assert.doesNotThrow(function(){
 76 |         filter([]);
 77 |         filter('');
 78 |       }, Error);
 79 |     },
 80 |     'returns a string': function(filter) {
 81 |       assert.isString(filter(' ', 'youtube'));
 82 |     },
 83 |     'allow function to be passed in': function(filter){
 84 |       var nyanFilter = function(html){
 85 |         return 'nyan';
 86 |       }
 87 |       assert.equal(filter('nyannyannyan', nyanFilter), 'nyan');
 88 |     },
 89 |     'allow array of functions to be passed in': function(filter){
 90 |       var filters = [
 91 |         function(html){
 92 |           return 'nyan';
 93 |         },
 94 |         function(html){
 95 |           return html + html;
 96 |         }
 97 |       ];
 98 |       assert.equal(filter('nyannyannyan', filters), 'nyannyan');
 99 |     },
100 |   },
101 | 
102 |   'included youtube filter': {
103 |     topic: function(){ return bleach.filter; },
104 |     'converts a youtube flash object to an iframe': function(filter){
105 |       var input = '<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="420" height="315" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0"><param name="allowFullScreen" value="true"><param name="allowscriptaccess" value="always"><param name="src" value="http://www.youtube.com/v/aU079Mdkenw?version=3&amp;hl=en_US"><param name="allowfullscreen" value="true"><embed type="application/x-shockwave-flash" width="420" height="315" src="http://www.youtube.com/v/aU079Mdkenw?version=3&amp;hl=en_US" allowscriptaccess="always" allowfullscreen="true" id="s_media_1_0" name="s_media_1_0"></object>',
106 |           output = '<iframe type="text/html" frameborder="0" scrolling="no" allowfullscreen src="http://youtube.com/embed/aU079Mdkenw"></iframe>';
107 | 
108 |       assert.equal(filter(input, 'youtube'), output);
109 |     },
110 |     'ignores non-youtube flash objects': function(filter){
111 |       var input = '<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="420" height="315" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0"><param name="allowFullScreen" value="true"><param name="allowscriptaccess" value="always"><param name="src" value="http://www.youtube.com/v/aU079Mdkenw?version=3&amp;hl=en_US"><param name="allowfullscreen" value="true"><embed type="application/x-shockwave-flash" width="420" height="315" src="http://google.com/asdf" allowscriptaccess="always" allowfullscreen="true" id="s_media_1_0" name="s_media_1_0"></object>';
112 | 
113 |       assert.equal(filter(input, 'youtube'), input);
114 |     },
115 |   }
116 | 
117 | }).export(module);
118 | 


--------------------------------------------------------------------------------
/lib/bleach.js:
--------------------------------------------------------------------------------
  1 | /*
  2 |  * bleach
  3 |  * a minimal html sanitizer
  4 |  * cam@onswipe.com
  5 |  */
  6 | 
  7 | var fs = require('fs'),
  8 |     he = require('he');
  9 | 
 10 | var bleach = {
 11 | 
 12 |   matcher: /<\/?([a-zA-Z0-9]+)*(.*?)\/?>/igm,
 13 | 
 14 |   whitelist: [
 15 |     'a',
 16 |     'b',
 17 |     'p',
 18 |     'em',
 19 |     'strong'
 20 |   ],
 21 | 
 22 |   analyze: function(html) {
 23 |     html = String(html) || '';
 24 | 
 25 |     var matches = [],
 26 |         match;
 27 | 
 28 |     // extract all tags
 29 |     while ((match = bleach.matcher.exec(html)) != null) {
 30 |       var attrr = match[2].split(' '),
 31 |           attrs = [];
 32 | 
 33 |       // extract attributes from the tag
 34 |       attrr.shift();
 35 |       attrr.forEach(function(attr){
 36 |         attr = attr.split('=');
 37 |         var attr_name = attr[0],
 38 |             attr_val = attr.length > 1 ? attr.slice(1).join('=') : null;
 39 |         // remove quotes from attributes
 40 |         if (attr_val && attr_val.charAt(0).match(/'|"/)) attr_val = attr_val.slice(1);
 41 |         if (attr_val && attr_val.charAt(attr_val.length-1).match(/'|"/)) attr_val = attr_val.slice(0, -1);
 42 |         attr = {
 43 |           name: attr_name,
 44 |           value: attr_val
 45 |         };
 46 |         if (!attr.value) delete attr.value;
 47 |         if (attr.name) attrs.push(attr);
 48 |       });
 49 | 
 50 |       var tag = {
 51 |         full: match[0],
 52 |         name: match[1],
 53 |         attr: attrs
 54 |       };
 55 | 
 56 |       matches.push(tag);
 57 |     }
 58 | 
 59 |     return matches;
 60 |   },
 61 | 
 62 |   sanitize: function(html, options) {
 63 |     html = String(html) || '';
 64 |     options = options || {};
 65 | 
 66 |     var mode = options.mode || 'white',
 67 |         list = options.list || bleach.whitelist;
 68 | 
 69 |     var matches = bleach.analyze(html);
 70 | 
 71 |     if ((mode == 'white' && list.indexOf('script') == -1)
 72 |      || (mode == 'black' && list.indexOf('script') != -1)) {
 73 |       html = html.replace(/<script(.*?)>(.*?[\r\n])*?(.*?)(.*?[\r\n])*?<\/script>/gim, '');
 74 |     }
 75 | 
 76 | 
 77 |     if ((mode == 'white' && list.indexOf('style') == -1)
 78 |      || (mode == 'black' && list.indexOf('style') != -1)) {
 79 |       html = html.replace(/<style(.*?)>(.*?[\r\n])*?(.*?)(.*?[\r\n])*?<\/style>/gim, '');
 80 |     }
 81 | 
 82 |     matches.forEach(function(tag){
 83 |       if (mode == 'white') {
 84 |         if (list.indexOf(tag.name) == -1) {
 85 |           html = html.replace(tag.full, '');
 86 |         }
 87 |       } else if (mode == 'black') {
 88 |         if (list.indexOf(tag.name) != -1) {
 89 |           html = html.replace(tag.full, '');
 90 |         }
 91 |       } else {
 92 |         throw new Error('Unknown sanitization mode "' + mode + '"');
 93 |       }
 94 |     });
 95 | 
 96 |     if ( options.encode_entities ) html = he.encode( html );
 97 | 
 98 |     return html;
 99 |   },
100 | 
101 |   filterSync: function(html, filters) {
102 |     html = String(html) || '';
103 | 
104 |     if (!filters) return;
105 | 
106 |     var available = fs.readdirSync(__dirname + '/../filters');
107 | 
108 |     if (Array.isArray(filters)) {
109 |       for (var i in filters) {
110 |         if (typeof filters[i] == 'function') {
111 |           html = filters[i](html);
112 |         } else {
113 |           var file = filters[i] + '.js';
114 |           for (var j in available) {
115 |             if (file == available[j]) {
116 |               html = require('../filters/' + file)(html);
117 |             }
118 |           }
119 |         }
120 |       }
121 |       return html;
122 |     } else if (typeof filters == 'string') {
123 |       var file = filters + '.js';
124 |       for (var i in available) {
125 |         if (file == available[i]) {
126 |           html = require('../filters/' + file)(html);
127 |           return html;
128 |         }
129 |       }
130 |       } else if (typeof filters == 'function') {
131 |         html = filters(html);
132 |         return html;
133 |       } else return html;
134 |   },
135 | 
136 |   filter: function(html, filters, callback) {
137 |     if (typeof(callback) != 'function') {
138 |       return bleach.filterSync(html, filters);
139 |     }
140 | 
141 |     html = String(html) || '';
142 | 
143 |     if (!filters) callback('no filters provided', undefined);
144 | 
145 |     var available = fs.readdir(__dirname + '/../filters', function() {
146 |       if (Array.isArray(filters)) {
147 |         for (var i in filters) {
148 |           if (typeof filters[i] == 'function') {
149 |             html = filters[i](html);
150 |           } else {
151 |             var file = filters[i] + '.js';
152 |             for (var j in available) {
153 |               if (file == available[j]) {
154 |                 html = require('../filters/' + file)(html);
155 |               }
156 |             }
157 |           }
158 |         }
159 |         return html;
160 |       } else if (typeof filters == 'string') {
161 |         var file = filters + '.js';
162 |         for (var i in available) {
163 |           if (file == available[i]) {
164 |             html = require('../filters/' + file)(html);
165 |             callback(undefined, html);
166 |           }
167 |         }
168 |         } else if (typeof filters == 'function') {
169 |           html = filters(undefined, html);
170 |           callback(undefined, html);
171 |         } else callback(undefined, html);
172 |     });
173 |   }
174 | 
175 | };
176 | 
177 | module.exports = bleach;
178 | 


--------------------------------------------------------------------------------