Giters

appcues / strip_js

An Elixir library for stripping executable JS from HTML and CSS.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

StripJs

appcues StripJs version Hex.pm

StripJs is an Elixir module for stripping executable JavaScript from blocks of HTML and CSS, based on the Floki parsing library.

It handles:

  • <script>...</script> and <script src="..."></script> tags
  • Event handler attributes such as onclick="..."
  • javascript:... URLs in HTML and CSS
  • CSS expression(...) directives
  • HTML entity attacks (like &lt;script&gt;)

StripJs is production ready, and has sanitized over 1.5 billion payloads at Appcues.

Usage

clean_html/2 removes all JS vectors from an HTML string:

iex> html = "<button onclick=\"alert('pwnt')\">Hi!</button>"
iex> StripJs.clean_html(html)
"<button>Hi!</button>"

clean_css/2 removes all JS vectors from a CSS string:

iex> css = "body { background-image: url('javascript:alert()'); }"
iex> StripJs.clean_css(css)
"body { background-image: url('removed_by_strip_js:alert()'); }"

Security

StripJs blocks every JS injection vector known to the authors. It has survived four years in production, multiple professional penetration tests, and over a billion invocations with no known security issues.

If you believe there are JS injection methods not covered by this library, please submit an issue with a test case!

Documentation

Full docs are available at Hexdocs.pm.

Authorship and License

Copyright 2017-2021, Appcues, Inc.

StripJs is released under the MIT License.

About

An Elixir library for stripping executable JS from HTML and CSS.

License:MIT License

Languages

Language:Elixir 100.0%