README
micromark-util-sanitize-uri
micromark utility to sanitize urls.
Contents
Install
npm:
npm install micromark-util-sanitize-uri
Use
import {sanitizeUri} from 'micromark-util-sanitize-uri'
sanitizeUri('https://example.com/a&b') // 'https://example.com/a&b'
sanitizeUri('https://example.com/a%b') // 'https://example.com/a%25b'
sanitizeUri('https://example.com/a%20b') // 'https://example.com/a%20b'
sanitizeUri('https://example.com/👍') // 'https://example.com/%F0%9F%91%8D'
sanitizeUri('https://example.com/', /^https?$/i) // 'https://example.com/'
sanitizeUri('javascript:alert(1)', /^https?$/i) // ''
sanitizeUri('./example.jpg', /^https?$/i) // './example.jpg'
sanitizeUri('#a', /^https?$/i) // '#a'
API
This module exports the following identifiers: sanitizeUri
.
There is no default export.
sanitizeUri(url[, pattern])
Make a value safe for injection as a URL.
This encodes unsafe characters with percent-encoding and skips already
encoded sequences (see normalizeUri
internally).
Further unsafe characters are encoded as character references (see
micromark-util-encode
).
A regex of allowed protocols can be given, in which case the URL is sanitized.
For example, /^(https?|ircs?|mailto|xmpp)$/i
can be used for a[href]
, or
/^https?$/i
for img[src]
(this is what github.com
allows).
If the URL includes an unknown protocol (one not matched by protocol
, such
as a dangerous example, javascript:
), the value is ignored.
Parameters
url
(string
) — URI to sanitize.pattern
(RegExp
, optional) — Allowed protocols.
Returns
string
— Sanitized URI.
Security
See security.md
in micromark/.github
for how to
submit a security report.
Contribute
See contributing.md
in micromark/.github
for ways
to get started.
See support.md
for ways to get help.
This project has a code of conduct. By interacting with this repository, organisation, or community you agree to abide by its terms.