README
micromark-util-sanitize-uri
micromark utility to sanitize urls.
Contents
Install
npm:
npm install micromark-util-sanitize-uri
Use
import {sanitizeUri} from 'micromark-util-sanitize-uri'
sanitizeUri('https://example.com/a&b') // 'https://example.com/a&b'
sanitizeUri('https://example.com/a%b') // 'https://example.com/a%25b'
sanitizeUri('https://example.com/a%20b') // 'https://example.com/a%20b'
sanitizeUri('https://example.com/👍') // 'https://example.com/%F0%9F%91%8D'
sanitizeUri('https://example.com/', /^https?$/i) // 'https://example.com/'
sanitizeUri('javascript:alert(1)', /^https?$/i) // ''
sanitizeUri('./example.jpg', /^https?$/i) // './example.jpg'
sanitizeUri('#a', /^https?$/i) // '#a'
API
This module exports the following identifiers: sanitizeUri.
There is no default export.
sanitizeUri(url[, pattern])
Make a value safe for injection as a URL.
This encodes unsafe characters with percent-encoding and skips already
encoded sequences (see normalizeUri internally).
Further unsafe characters are encoded as character references (see
micromark-util-encode).
A regex of allowed protocols can be given, in which case the URL is sanitized.
For example, /^(https?|ircs?|mailto|xmpp)$/i can be used for a[href], or
/^https?$/i for img[src] (this is what github.com allows).
If the URL includes an unknown protocol (one not matched by protocol, such
as a dangerous example, javascript:), the value is ignored.
Parameters
url(string) — URI to sanitize.pattern(RegExp, optional) — Allowed protocols.
Returns
string — Sanitized URI.
Security
See security.md in micromark/.github for how to
submit a security report.
Contribute
See contributing.md in micromark/.github for ways
to get started.
See support.md for ways to get help.
This project has a code of conduct. By interacting with this repository, organisation, or community you agree to abide by its terms.