Skip to content
/ t8 Public

Easily sanitize strings, using user input, before injecting into DOM with .innerHTML and friends

Notifications You must be signed in to change notification settings

kpion/t8

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 
 
 

Repository files navigation

T8 - Sanitize HTML

As not seen on...

"Innovative, compelling, visionary"

~The author.

Almost 1 million downloads a month*

* about literally two to be exact.

Introducing T8!!!

Introduction

Safe HTML injection with .innerHTML & .insertAdjacentHTML & friends.

As simple as

document.querySelector('#target').innerHTML = t8.sane('<p>Hello {what}!</p>',{what: 'World'});

See Demo

You can't simply get some user input and make a HTML out, of it due to XSS. Hence the common solution is to use .appenchChild to add DOM Element, and .textContent to put user input into it.

And that is fine, although there are those exceptions where building whole HTML is just a much better (easier and faster) option.

T8 makes it safe by separating user data and your HTML markup. I.e. templates. Just like those libs like React, vue etc do, except T8 does only that.

Example

One-liner, not very useful:

document.querySelector('#target').innerHTML = t8.sane('<p>Hello {what}!</p>',{what: 'World'});

And here comes an even less useful one:

//example data object, coming from user (not safe):
let person = {
    name: 'John Smith',
    hack: 'hack <img src=x onerror="alert(\'XSS Attack\')"> us',
    animals: {
        cat:'Rambo',
        dog: 'Pinky'
    }
}

//our template 
let template = `
    <div>
        <p>Here is this guy, <b>{name}</b></p> 
        <p>He has a cat called {animals.cat} and a dog - {animals.dog}</p> 
        <p>And he tries to <b>{hack}</b></p> 
    </div>
`;

//safe scenario: 

document.querySelector('#target').innerHTML = t8.sane(template,person);

//unsafe scenario: 

document.querySelector('#target').innerHTML = '<p>Purposely unsafe:</p>' + t8.raw(template,person);

Installation

This huge package, thanks to the most advanced AI technologies, is highly compressed to a single js file here so just copy & past it... somewhere.

Notes & references

About

Easily sanitize strings, using user input, before injecting into DOM with .innerHTML and friends

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published