@mshibanami-org/markdown-it-sanitize-html
v1.0.12
Published
A markdown-it plugin to sanitize HTML using sanitize-html.
Maintainers
mshibanamiReadme
markdown-it-sanitize-html
A markdown-it plugin to sanitize HTML using sanitize-html.
This plugin sanitizes any HTML content in the original Markdown to prevent XSS attacks and other security vulnerabilities. In other words, it does not sanitize HTML generated by markdown-it itself or other plugins. This is the example:
markdownIt({ html: true })
.use(require('markdown-it-task-checkbox'))
.use(markdownItSanitizeHtml);
.render(`- [ ] Task 1
- [x] Task 2
<form>
<label for="name">Name:</label>
<input type="text" id="name" name="name">
</form>`);
// Output:
// <ul class="task-list">
// <li class="task-list-item"><input type="checkbox" id="cbx_0" disabled="true"><label for="cbx_0"> Task 1</label></li>
// <li class="task-list-item"><input type="checkbox" id="cbx_1" checked="true" disabled="true"><label for="cbx_1"> Task 2</label></li>
// </ul>
//
// Name:
// Installation
npm install @mshibanami-org/markdown-it-sanitize-htmlUsage
JavaScript:
const markdownIt = require('markdown-it');
const markdownItSanitizeHtml = require('@mshibanami-org/markdown-it-sanitize-html');
const md = markdownIt({ html: true });
md.use(markdownItSanitizeHtml);
const markdown = 'Hello, <b onclick="alert(\'XSS\')">world</b>! <img src="x" onerror="alert(\'XSS\')">';
const html = md.render(markdown);
console.log(html);
// Output: <p>Hello, <b>world</b>! <img src="x"></p>TypeScript:
import markdownIt from 'markdown-it';
import markdownItSanitizeHtml from '@mshibanami-org/markdown-it-sanitize-html';
const md = markdownIt({ html: true });
md.use(markdownItSanitizeHtml);
const markdown = 'Hello, <b onclick="alert(\'XSS\')">world</b>! <img src="x" onerror="alert(\'XSS\')">';
const html = md.render(markdown);
console.log(html);
// Output: <p>Hello, <b>world</b>! <img src="x"></p>Options
You can pass options to sanitize-html during initialization.
md.use(markdownItSanitizeHtml, {
FORBID_TAGS: ['style']
});See the sanitize-html documentation for the available options.
License
sanitize-html - MIT License Copyright (c) 2013, 2014, 2015 P'unk Avenue LLC
markdown-it - MIT License © 2014 Vitaly Puzrin, Alex Kocharin.
markdown-it-sanitize-html - MIT License © 2025 Manabu Nakazawa