search

bevacqua / insane

:pouting_cat: Lean and configurable whitelist-oriented HTML sanitizer
https://ponyfoo.com
MIT License
449 stars 22 forks source link

Different output at node and at browser #9

Open istarkov opened 6 years ago

istarkov commented 6 years ago

simple example

const insane = require('insane');
console.log(insane('<a href="&#106;">test</a>'));

Running this under node gives <a href="j">test</a> see https://repl.it/repls/CloseMassiveArchitects And running this under browser gives <a href="&amp;#106;">test</a> see https://codesandbox.io/s/k3ql74k5y5

This causes an issues with server side rendering.

istarkov commented 6 years ago

The issue is that for browser used escape/unescapeHtml from ./she.js but he.decode/encode at node @bevacqua what the reason to use 2 different method of conversion depending on env?

istarkov commented 6 years ago

I just checked and in both cases sanitize-html uses decode/encode so both output of above is <a href="j">test</a>

istarkov commented 6 years ago

I think you did that to reduce dependency size at browser level? If yes it's possibly better to use she.js in both environments, otherwise it's hard to use the library with server side rendering libs like React. See #10