xss-filter

> xss-filter is a XSS (Cross-Site Script) Filter for Node.js & the browser, provides friendly, reliable XSS filter API for you.

[![NPM version][npm-image]][npm-url] [![Downloads][downloads-image]][npm-url] [![Bower version][bower-image]][bower-url]

![xssfilter](https://npmjs.org/package/xssfilter)

[npm-url]: https://npmjs.org/package/xssfilter
[downloads-image]: http://img.shields.io/npm/dm/xssfilter.svg
[npm-image]: http://img.shields.io/npm/v/xssfilter.svg
[bower-url]:http://badge.fury.io/bo/xssFilter
[bower-image]: https://badge.fury.io/bo/xssFilter.svg

中文

API Documentation

Test HTML:

``html


	title

	desc

	just a div


Result in：

`html


	title

	desc

	just a div


Installation / Download

npm install xssfilter or bower install xssFilter or just download xssFilter.js from the git repo.

`Usage`

`$3`

`js var xssFilter = require('xssfilter'); var xssfilter = new xssFilter();

var output = xssfilter.filter('

something...

');
// output: something...

$3

`js`

#### Use with require.js

`js`

#### Use with sea.js

`js`

`Manifest`

`$3`

whether match style tag, default is true. Set to false to prevent remove the matched style tags.

`$3`

whether match script tag, default is true. Set to false to prevent remove the matched script tags.

`$3`

whether remove matched tag, default is true. Set to false to using escape instead of remove.

removeMatchedTag should be used with matchStyleTag and matchScriptTag, for example:

`js var xssfilter = new xssFilter({ removeMatchedTag: false });`

`html


	
	something...


Result in:

`html


	<style type="text">
		.red{color: #f00}
	</style>
	something...


<script>alert(88)</script>


$3
attributes blacklist, attributes in this list will be cleared.
initial blacklist of attributes：

`js { onclick: true, ondblclick: true, onchange: true, onblur: true, onfocus: true, onkeydown: true, onkeypress: true, onkeyup: true, onmousedown: true, onmousemove: true, onmouseover: true, onmouseout: true, onmouseup: true, onselect: true, onsubmit: true, onreset: true, onload: true, onabort: true, onerror: true }`

`$3`

escape tags of whole html string, "<" to "<", ">" to ">", default no.

`Initialization`


The configuration options can be specified by passing an

options parameter in the initialization. options is optional, provided to override the default configuration.

`js var xssfilter = new xssFilter(options);`

`Instance methods`

`$3`


Filtering target string, accepts only one parameter.
$3
Use this method to modify the configuration options after initialization.

`js var xssfilter = new xssFilter();

xssfilter.options({ escape: true, matchStyleTag: false });

var output = xssfilter.filter('some html...');`

You can also configure single option:

`js var xssfilter = new xssFilter(); xssfilter.options('escape', true); var output = xssfilter.filter('some html...');`

when set secondary attributes like blackListAttrs, the second argument must be an object {}:

`js var xssfilter = new xssFilter();

xssfilter.options('blackListAttrs', { onsubmit: false });

var output = xssfilter.filter('

something...

');
// output: something...


Testing

`npm test``

Other xss filter view

- https://github.com/leizongmin/js-xss
- https://github.com/yahoo/xss-filters

License

MIT, see the LICENSE file for detail.

xss-filter

> xss-filter is a XSS (Cross-Site Script) Filter for Node.js & the browser, provides friendly, reliable XSS filter API for you.

[![NPM version][npm-image]][npm-url] [![Downloads][downloads-image]][npm-url] [![Bower version][bower-image]][bower-url]

![xssfilter](https://npmjs.org/package/xssfilter)

中文

API Documentation

Test HTML:

``html


	title

	desc

	just a div


Result in：

`html


	title

	desc

	just a div


Installation / Download

npm install xssfilter or bower install xssFilter or just download xssFilter.js from the git repo.

`Usage`

`$3`

`js var xssFilter = require('xssfilter'); var xssfilter = new xssFilter();

var output = xssfilter.filter('

something...

');
// output: something...

$3

`js`

#### Use with require.js

`js`

#### Use with sea.js

`js`

`Manifest`

`$3`

whether match style tag, default is true. Set to false to prevent remove the matched style tags.

`$3`

whether match script tag, default is true. Set to false to prevent remove the matched script tags.

`$3`

whether remove matched tag, default is true. Set to false to using escape instead of remove.

removeMatchedTag should be used with matchStyleTag and matchScriptTag, for example:

`js var xssfilter = new xssFilter({ removeMatchedTag: false });`

`html


	
	something...


Result in:

`html


	<style type="text">
		.red{color: #f00}
	</style>
	something...


<script>alert(88)</script>


$3
attributes blacklist, attributes in this list will be cleared.
initial blacklist of attributes：

`$3`

escape tags of whole html string, "<" to "<", ">" to ">", default no.

`Initialization`


The configuration options can be specified by passing an

options parameter in the initialization. options is optional, provided to override the default configuration.

`js var xssfilter = new xssFilter(options);`

`Instance methods`

`$3`


Filtering target string, accepts only one parameter.
$3
Use this method to modify the configuration options after initialization.

`js var xssfilter = new xssFilter();

xssfilter.options({ escape: true, matchStyleTag: false });

var output = xssfilter.filter('some html...');`

You can also configure single option:

`js var xssfilter = new xssFilter(); xssfilter.options('escape', true); var output = xssfilter.filter('some html...');`

when set secondary attributes like blackListAttrs, the second argument must be an object {}:

`js var xssfilter = new xssFilter();

xssfilter.options('blackListAttrs', { onsubmit: false });

var output = xssfilter.filter('

something...

');
// output: something...


Testing

`npm test``

Other xss filter view

- https://github.com/leizongmin/js-xss
- https://github.com/yahoo/xss-filters

License

MIT, see the LICENSE file for detail.