rehype plugin to sanitize HTML
Last updated a year ago by wooorm .
MIT · Repository · Bugs · Original npm · Tarball · package.json
$ cnpm install rehype-sanitize 
SYNC missed versions from official npm registry.


Build Coverage Downloads Size Sponsors Backers Chat

rehype plugin to sanitize HTML.



npm install rehype-sanitize


Say we have the following file, index.html:

<div onmouseover="alert('alpha')">
  <a href="jAva script:alert('bravo')">delta</a>
  <img src="x" onerror="alert('charlie')">
  <iframe src="javascript:alert('delta')"></iframe>
    <mi xlink:href="data:x,<script>alert('echo')</script>"></mi>
require('child_process').spawn('rm', ['-r', '-f', process.env.HOME]);

And our script, example.js, looks as follows:

var fs = require('fs')
var rehype = require('rehype')
var merge = require('deepmerge')
var gh = require('hast-util-sanitize/lib/github')
var sanitize = require('rehype-sanitize')

var schema = merge(gh, {tagNames: ['math', 'mi']})

  .data('settings', {fragment: true})
  .use(sanitize, schema)
  .process(fs.readFileSync('index.html'), function(err, file) {
    if (err) throw err

Now, running node example yields:

  <img src="x">



rehype().use(sanitize[, schema])

Remove potentially dangerous things from HTML, or more correct: keep only safe the things in a document.


The sanitation schema defines how and if nodes and properties should be cleaned. The schema is documented in hast-util-sanitize.


Improper use of rehype-sanitize can open you up to a cross-site scripting (XSS) attack. The defaults are safe, but deviating from them is likely unsafe.

Use rehype-sanitize after all other plugins, as other plugins are likely also unsafe.



See in rehypejs/.github for ways to get started. See for ways to get help.

This project has a code of conduct. By interacting with this repository, organization, or community you agree to abide by its terms.


MIT © Titus Wormer

Current Tags

  • 3.0.1                                ...           latest (5 months ago)

6 Versions

  • 3.0.1                                ...           5 months ago
  • 3.0.0                                ...           a year ago
  • 2.0.3                                ...           a year ago
  • 2.0.2                                ...           2 years ago
  • 2.0.1                                ...           3 years ago
  • 2.0.0                                ...           3 years ago

Copyright 2014 - 2017 © |