# HTML Sanitizer The `HtmlSanitizer` class provides a utility for sanitizing HTML content to prevent XSS (Cross-Site Scripting) attacks while maintaining safe HTML elements and attributes. ## Features - HTML content sanitization - Protection against XSS attacks - Configurable allowed tags and attributes - Support for custom styling and classes - Safe image handling with controlled schemes ## Usage ### Basic Usage ```typescript import { HtmlSanitizer } from "n-util"; // Sanitize HTML content const html = `

Hello World

This is bold text with a link

Example
`; const sanitizedHtml = HtmlSanitizer.sanitize(html); // Result: Sanitized HTML with safe tags and attributes ``` ### Allowed Elements and Attributes The sanitizer allows the following by default: - Common HTML tags (p, div, span, etc.) - Basic text formatting (b, i, strong, em) - Links with href attributes - Images with src, alt attributes - Custom styling and classes - Safe URL schemes (http, https, data) ## API Reference ### HtmlSanitizer Class ```typescript class HtmlSanitizer ``` A utility class for sanitizing HTML content. #### Methods ##### sanitize ```typescript static sanitize(html: string): string ``` Sanitizes the given HTML string, removing potentially dangerous content while preserving safe elements. - Parameters: - `html`: The HTML string to sanitize - Returns: A sanitized HTML string - Throws: Error if html is null, undefined, or not a string ## Best Practices 1. **Input Validation**: - Always validate input before sanitization - Handle null or undefined values - Ensure input is a string 2. **Security Considerations**: - Use for user-generated content - Apply to all HTML content from untrusted sources - Consider additional validation for specific use cases 3. **Performance**: - Sanitize content before storage - Cache sanitized content when possible - Consider content length and complexity ## Examples ### User-Generated Content ```typescript // Example of sanitizing user-generated content class Comment { private _id: string; private _content: string; private _author: string; constructor(id: string, content: string, author: string) { this._id = id; this._content = HtmlSanitizer.sanitize(content); this._author = author; } get id(): string { return this._id; } get content(): string { return this._content; } get author(): string { return this._author; } } // Create a comment with sanitized content const comment = new Comment( "C001", '
Hello World!
', "John Doe" ); // The content will be sanitized, removing dangerous elements console.log(comment.content); // Result:
Hello World!
``` ### Rich Text Editor Integration ```typescript // Example of integrating with a rich text editor class RichTextEditor { private _content: string; constructor(initialContent: string = "") { this._content = HtmlSanitizer.sanitize(initialContent); } public updateContent(newContent: string): void { this._content = HtmlSanitizer.sanitize(newContent); } public getContent(): string { return this._content; } public render(): string { return `
${this._content}
`; } } // Create and use a rich text editor const editor = new RichTextEditor(`

Welcome

This is bold text with Image

`); // Update content with sanitization editor.updateContent(`

New content with dangerous link

`); // The content will be sanitized, preserving safe elements console.log(editor.getContent()); // Result:

New content with dangerous link

``` ### Custom Styling and Classes ```typescript // Example of using custom styling and classes class StyledContent { private _content: string; constructor(content: string) { this._content = HtmlSanitizer.sanitize(content); } public getContent(): string { return this._content; } } // Create styled content const styledContent = new StyledContent(`

Styled Content

This content has custom styling and classes

`); // The content will preserve safe styling and classes console.log(styledContent.getContent()); // Result: HTML with preserved styling and classes ``` ## Security Notes 1. **XSS Prevention**: - Removes script tags and event handlers - Sanitizes URLs in links and images - Removes potentially dangerous attributes 2. **Allowed Content**: - Basic HTML formatting - Safe styling attributes - Controlled image sources - Custom classes 3. **Limitations**: - Does not validate content semantics - May not catch all XSS vectors - Consider additional security measures for critical applications