sanitize()
创建一个净化插件,从编译输出中剥离危险的 HTML 标签、属性和 URL 协议。
import { sanitize } from "@unifast/node";签名
function sanitize(options?: SanitizePluginOptions): UnifastPlugin参数
options?
净化配置
| 属性 | 类型 | 默认值 | 描述 |
|---|---|---|---|
enabled | boolean | true | 启用或禁用净化 |
schema | SanitizeSchema | — | 自定义的净化 schema |
SanitizeSchema
| 属性 | 类型 | 描述 |
|---|---|---|
allowedTags | string[] | 允许保留的 HTML 标签名(其他都会被剥离) |
allowedAttributes | Record<string, string[]> | 每个标签允许保留的属性名 |
allowedProtocols | Record<string, string[]> | 每个属性允许使用的 URL 协议 |
用法
import { compile, sanitize } from "@unifast/node";
const result = compile(md, {
plugins: [
sanitize({
enabled: true,
schema: {
allowedTags: ["h1", "h2", "h3", "p", "a", "strong", "em", "code", "pre", "img", "ul", "ol", "li", "blockquote", "table", "thead", "tbody", "tr", "th", "td"],
allowedAttributes: {
a: ["href", "title", "target"],
img: ["src", "alt", "width", "height"],
code: ["class"],
pre: ["class"],
},
allowedProtocols: {
href: ["https", "http", "mailto"],
src: ["https", "http"],
},
},
}),
],
});示例
剥离危险 HTML
import { compile, sanitize } from "@unifast/node";
const untrustedMd = `
# Hello
<script>alert("xss")</script>
<img src="x" onerror="alert('xss')">
[Click me](javascript:alert('xss'))
`;
const result = compile(untrustedMd, {
plugins: [sanitize()],
});
console.log(result.output);
// <script> tags, onerror attributes, and javascript: URLs are removed自定义允许的标签
import { compile, sanitize } from "@unifast/node";
const result = compile(md, {
plugins: [
sanitize({
schema: {
allowedTags: ["p", "a", "strong", "em", "code", "pre"],
},
}),
],
});
console.log(result.output);
// Only the specified tags are kept; all others are stripped限制 URL 协议
import { compile, sanitize } from "@unifast/node";
const result = compile(md, {
plugins: [
sanitize({
schema: {
allowedProtocols: {
href: ["https", "mailto"],
src: ["https"],
},
},
}),
],
});
console.log(result.output);
// Only https: and mailto: links are allowed禁用净化
import { compile, sanitize } from "@unifast/node";
const result = compile(md, {
plugins: [sanitize({ enabled: false })],
});
console.log(result.output);
// No sanitization applied — use only with trusted input