npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

@benedictleejh/nuxt-sanitise-html

v1.1.0

Published

A Nuxt module to sanitise HTML to protect against XSS attacks

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

benedictleejhbenedictleejh

Keywords

nuxtvuevue-directivedomxsshtmldompurifysecuritysanitizesanitizer

Readme

Nuxt Sanitise HTML

npm version npm downloads License Nuxt

Nuxt module for sanitising HTML, as a safe replacement for using v-html, protecting against XSS attacks through sanitising HTML inputs.

Features

  • Adds v-sanitise-html directive as a safe replacement for v-html
  • Supports sanitisation profiles to allow configuration as needed for different use cases
  • Supports configuring hooks for advanced sanitisation needs

Setup

Install the module from NPM using your package manager of choice, e.g. pnpm

pnpm add -D @benedictleejh/nuxt-sanitise-html

Then add the module to your Nuxt config file:

export default defineNuxtConfig({
  modules: ['@benedictleejh/nuxt-sanitise-html'],
})

Usage

Basic

The module works without any configuration needed. Just use v-sanitise-html instead of v-html when you need to sanitise HTML input. This uses DOMPurify's default configuration for sanitisation.

<script setup lang="ts">
const xssAttack = `<p>Hello<script>alert('This is an XSS attack!')</` + `script> World</p>`
</script>

<template>
  <div v-sanitise-html="xssAttack" />
</template>

The output HTML would be:

<p>HelloWorld</p>

You can setup different sanitisaton configurations (profiles) in app config (app.config.ts) using the sanitiseHtml key.

export default defineAppConfig({
  sanitiseHtml: {
    profiles: {
      profileName: {
        config: {
          allowedTags: [
            'h1'
          ]
        }
      }
    }
  }
})

The profile names can be used as arguments to v-sanitise-html to use that profile instead of the default profile.

<script setup lang="ts">
const xssAttack = `<p>Hello<script>alert('This is an XSS attack!')</` + `script> World</p>`
</script>

<template>
  <div v-sanitise-html:profileName="xssAttack" />
</template>

You can also override the profile used when calling v-sanitise-html without arguments by simply setting up a profile with the name default.

export default defineAppConfig({
  sanitiseHtml: {
    profiles: {
      // This profile is now used when using `v-sanitise-html` without arguments
      default: {
        config: {
          allowedTags: [
            'h1'
          ]
        }
      }
    }
  }
})

Profiles consist of 2 parts: the configuration, which is DOMPurify's configuration but with the keys renamed to camelCase, and the hooks. Please see DOMPurify documentation for more details the configuration. For the hooks configuration object, the keys are the DOMPurify entry point names, and the values are either a hook function or an array of hook functions.

export default defineAppConfig({
  sanitiseHtml: {
    profiles: {
      profileName: {
        config: {
          allowedTags: [
            'h1'
          ],
          ...
        },

        hooks: {
           beforeSanitizeAttributes: (currentNode) => {
            // Do something with the node
          },

          afterSanitizeAttributes: [
            (currentNode) => {
              // Do something with the node
            },

            (currentNode) => {
              // Do another with the node
            }
          ],
          ...
        }
      }
    }
  }
})

Contribution

This repo follows GitLab Flow as a branching model. All PRs should be made against development and not main.

# Install dependencies
pnpm install

# Generate type stubs
pnpm run dev:prepare

# Develop with the playground
pnpm run dev

# Build the playground
pnpm run dev:build

# Run ESLint
pnpm run lint

# Run Vitest
pnpm run test
pnpm run test:watch

# Release new version
pnpm run release