Skip to content

An Elixir library for stripping executable JS from HTML and CSS.

License

Notifications You must be signed in to change notification settings

appcues/strip_js

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

55 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

StripJs

appcues StripJs version Hex.pm

StripJs is an Elixir module for stripping executable JavaScript from blocks of HTML and CSS, based on the Floki parsing library.

It handles:

  • <script>...</script> and <script src="..."></script> tags
  • Event handler attributes such as onclick="..."
  • javascript:... URLs in HTML and CSS
  • CSS expression(...) directives
  • HTML entity attacks (like &lt;script&gt;)

StripJs is production ready, and has sanitized over 1.5 billion payloads at Appcues.

Usage

clean_html/2 removes all JS vectors from an HTML string:

iex> html = "<button onclick=\"alert('pwnt')\">Hi!</button>"
iex> StripJs.clean_html(html)
"<button>Hi!</button>"

clean_css/2 removes all JS vectors from a CSS string:

iex> css = "body { background-image: url('javascript:alert()'); }"
iex> StripJs.clean_css(css)
"body { background-image: url('removed_by_strip_js:alert()'); }"

Security

StripJs blocks every JS injection vector known to the authors. It has survived four years in production, multiple professional penetration tests, and over a billion invocations with no known security issues.

If you believe there are JS injection methods not covered by this library, please submit an issue with a test case!

Full docs are available at Hexdocs.pm.

Authorship and License

Copyright 2017-2021, Appcues, Inc.

StripJs is released under the MIT License.

About

An Elixir library for stripping executable JS from HTML and CSS.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages