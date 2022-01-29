micromark utility to sanitize urls.
npm:
npm install micromark-util-sanitize-uri
import {sanitizeUri} from 'micromark-util-sanitize-uri'
sanitizeUri('https://example.com/a&b') // 'https://example.com/a&amp;b'
sanitizeUri('https://example.com/a%b') // 'https://example.com/a%25b'
sanitizeUri('https://example.com/a%20b') // 'https://example.com/a%20b'
sanitizeUri('https://example.com/👍') // 'https://example.com/%F0%9F%91%8D'
sanitizeUri('https://example.com/', /^https?$/i) // 'https://example.com/'
sanitizeUri('javascript:alert(1)', /^https?$/i) // ''
sanitizeUri('./example.jpg', /^https?$/i) // './example.jpg'
sanitizeUri('#a', /^https?$/i) // '#a'
This module exports the following identifiers:
sanitizeUri.
There is no default export.
sanitizeUri(url[, pattern])
Make a value safe for injection as a URL.
This encodes unsafe characters with percent-encoding and skips already
encoded sequences (see
normalizeUri internally).
Further unsafe characters are encoded as character references (see
micromark-util-encode).
A regex of allowed protocols can be given, in which case the URL is sanitized.
For example,
/^(https?|ircs?|mailto|xmpp)$/i can be used for
a[href], or
/^https?$/i for
img[src] (this is what
github.com allows).
If the URL includes an unknown protocol (one not matched by
protocol, such
as a dangerous example,
javascript:), the value is ignored.
url (
string) — URI to sanitize.
pattern (
RegExp, optional) — Allowed protocols.
string — Sanitized URI.
See
security.md in
micromark/.github for how to
submit a security report.
See
contributing.md in
micromark/.github for ways
to get started.
See
support.md for ways to get help.
This project has a code of conduct. By interacting with this repository, organisation, or community you agree to abide by its terms.