Whitelist-based HTML sanitizer (sanitize-html) for Vue.js apps.
We should always sanitize user input values on the server. Do sanitize with Vue only for necessary cases (e.g markdown preview).
npm install --save v-sanitize
or
yarn add v-sanitize
Register the plugin
import Vue from 'vue';
import VSanitize from "v-sanitize";
Vue.use(VSanitize);
nuxt.config.js
export default {
modules: [
['v-sanitize/nuxt', { /* options */ }]
],
sanitize: { /* options */ }
}
You can pass default options too:
defaultOptions = {
allowedTags: ['a', 'b'],
allowedAttributes: {
'a': [ 'href' ]
}
};
Vue.use(VSanitize, defaultOptions);
Use it in your components:
<template>
<div contenteditable="true" @paste="sanitize"></div>
</template>
<script>
export default {
methods: {
sanitize(event) {
event.preventDefault();
const html = this.$sanitize(event.clipboardData.getData('text/html'));
//or
//const html = this.$sanitize(
// event.clipboardData.getData('text/html'),
// {
// allowedTags: ['b', 'br']
// }
//);
document.execCommand('insertHTML', false, (html));
}
},
}
</script>
Vue.use(VSanitize[, defaultOptions])
Object
This plugin is dependent on sanitize-html. For details, see here https://github.com/punkave/sanitize-html#readme.
this.$sanitize(dirty[, options])
String
true
Object
If you don't pass an options, the default options will be used.
VSanitize.defaults
Return sanitizeHtml.defaults
.
Vue's default v-text
is HTML-insensitive, while v-html
doesn't perform sanitization by default.
v-sanitize
is a Vue directive for HTML sanitization, powered by the flexible sanitize-html. The directive can receive either a string, that will undergo a partial sanitization if no modifier is present, or an array of two elements, the first being a sanitize-html
whitelist (know more here) and the second being the string to be sanitized.
<div v-sanitize="unsafe_html"></div>
.strip
modifier)Removes all HTML tags, keeping just the text content.
<span v-sanitize.strip="unsafe_html"></span>
.basic
modifier)Allows some HTML tags, but remove unsafe content, like <script/>
and <iframe/>
tags.
<span v-sanitize.basic="unsafe_html"></span> = <span v-sanitize="unsafe_html"></span>
.inline
modifier)Removes most tags, keeping only inline formatting and <br/>
tags.
<span v-sanitize.inline="unsafe_html"></span>
.nothing
modifier)Allows all HTML tags, not performing sanitization. For all effects, it's a replacement for v-html
.
<span v-sanitize.nothing="unsafe_html"></span>
Please see CHANGELOG for more information what has changed recently.
If you discover any security related issues, please email chantouchsek.cs83@gmail.com instead of using the issue tracker.
git checkout -b my-new-feature
git commit -am 'Add some feature'
git push origin my-new-feature
The MIT License (MIT). Please see License File for more information.