One of the answers to Sanitize/Rewrite HTML on the Client Sidesuggests borrowing the whitelist-based HTML sanitizer in JS from Google Caja which, as far as I can tell from a quick scroll-through, implements an HTML SAX parser without relying on the browser's DOM.

在客户端清理/重写 HTML的答案之一建议从 Google Caja 借用基于白名单的 HTML 清理器在 JS 中，据我所知，从快速滚动中可以看出，它实现了一个 HTML SAX 解析器，而不依赖于浏览器的 DOM。

Update:Also, keep in mind that the Caja sanitizer has apparently been given a full, professional security review while regexes are known for being very easy to typo in security-compromising ways.

更新：另外，请记住，Caja sanitizer 显然已经过全面、专业的安全，而正则表达式则以非常容易以危及安全的方式打错字而闻名。

Update 2017-09-24:There is also now DOMPurify. I haven't used it yet, but it looks like it meets or exceeds every point I look for:

2017-09-24 更新：现在还有 DOMPurify。我还没有使用它，但看起来它满足或超过了我寻找的每一点：

• Relies on functionality provided by the runtime environment wherever possible. (Important both for performance and to maximize security by relying on well-tested, mature implementations as much as possible.)

  • Relies on either a browser's DOM or jsdomfor Node.JS.

• Default configuration designed to strip as little as possible while still guaranteeing removal of javascript.

  • Supports HTML, MathML, and SVG
  • Falls back to Microsoft's proprietary, un-configurable toStaticHTMLunder IE8 and IE9.

• Highly configurable, making it suitable for enforcing limitations on an input which can contain arbitrary HTML, such as a WYSIWYG or Markdown comment field. (In fact, it's the top of the pile here)

  • Supports the usual tag/attribute whitelisting/blacklisting and URL regex whitelisting
  • Has special options to sanitize further for certain common types of HTML template metacharacters.

• They're serious about compatibility and reliability

  • Automated tests running on 16 different browsers as well as three diffferent major versions of Node.JS.
  • To ensure developers and CI hosts are all on the same page, lock files are published.

• 尽可能依赖运行时环境提供的功能。（通过尽可能依赖经过良好测试的成熟实现，这对于性能和最大化安全性都很重要。）

  • Node.JS 依赖于浏览器的 DOM 或jsdom。

• 默认配置旨在尽可能少地剥离，同时仍保证删除 javascript。

  • 支持 HTML、MathML 和 SVG
  • 回退到微软专有的，toStaticHTML在 IE8 和 IE9 下不可配置。

• 高度可配置，使其适用于对可以包含任意 HTML 的输入实施限制，例如 WYSIWYG 或 Markdown 注释字段。（实际上，它是这里的最顶端）

  • 支持常用的标签/属性白名单/黑名单和 URL 正则表达式白名单
  • 有特殊选项可以进一步清理某些常见类型的 HTML 模板元字符。

• 他们非常重视兼容性和可靠性

  • 在 16 种不同浏览器以及 Node.JS 的三个不同主要版本上运行的自动化测试。
  • 为确保开发人员和 CI 主机都在同一页面上，发布了锁定文件。

I've created a module that bundles the Caja HTML Sanitizer

我创建了一个捆绑 Caja HTML Sanitizer 的模块

npm install sanitizer

http://github.com/theSmaw/Caja-HTML-Sanitizer

http://github.com/theSmaw/Caja-HTML-Sanitizer

https://www.npmjs.com/package/sanitizer

https://www.npmjs.com/package/sanitizer

Any feedback appreciated.

任何反馈表示赞赏。

All usual techniques apply to node.js output as well, which means:

所有常用技术也适用于 node.js 输出，这意味着：

• Blacklists will not work.
• You're not supposed to filter input in order to protect HTML output. It will not work or will work by needlessly malforming the data.
• You're supposed to HTML-escape text in HTML output.

• 黑名单将不起作用。
• 您不应该为了保护 HTML 输出而过滤输入。它不会工作，或者会因不必要的数据格式错误而工作。
• 您应该在 HTML 输出中对文本进行 HTML 转义。

I'm not sure if node.js comes with some built-in for this, but something like that should do the job:

我不确定 node.js 是否为此内置了一些东西，但类似的东西应该可以完成这项工作：

function htmlEscape(text) {
   return text.replace(/&/g, '&').
     replace(/</g, '&lt;').  // it's not neccessary to escape >
     replace(/"/g, '&quot;').
     replace(/'/g, '&#039;');
}

I recently discovered node-validatorby chriso.

我最近发现了chriso 的节点验证器。

Example

例子

get('/', function (req, res) {

  //Sanitize user input
  req.sanitize('textarea').xss(); // No longer supported
  req.sanitize('foo').toBoolean();

});

XSS Function Deprecation

XSS 功能弃用

The XSS function is no longer available in this library.

此库中不再提供 XSS 功能。

https://github.com/chriso/validator.js#deprecations

https://github.com/chriso/validator.js#deprecations

You can also look at ESAPI. There is a javascript version of the library. It's pretty sturdy.

你也可以看看ESAPI。有一个javascript 版本的库。它非常坚固。

In newer versions of validatormodule you can use the following script to prevent XSS attack:

在较新版本的validator模块中，您可以使用以下脚本来防止 XSS 攻击：

  var validator = require('validator');

  var escaped_string = validator.escape(someString);

Try out the npm module strip-js. It performs the following actions:

试试 npm 模块strip-js。它执行以下操作：

• Sanitizes HTML
• Removes script tags
• Removes attributes such as "onclick", "onerror", etc. which contain JavaScript code
• Removes "href" attributes which contain JavaScript code

• 清理 HTML
• 删除脚本标签
• 删除包含 JavaScript 代码的“onclick”、“onerror”等属性
• 删除包含 JavaScript 代码的“href”属性

https://www.npmjs.com/package/strip-js

https://www.npmjs.com/package/strip-js

You should try library npm "insane". https://github.com/bevacqua/insane

您应该尝试库 npm “疯狂”。 https://github.com/bevacqua/insane

I try in production, it works well. Size is very small (around ~3kb gzipped).

我在生产中尝试过，效果很好。大小非常小（压缩后大约 3kb）。

• Sanitize html
• Remove all attributes or tags who evaluate js
• You can allow attributes or tags that you don't want sanitize

• 清理 html
• 删除所有评估 js 的属性或标签
• 您可以允许您不想清理的属性或标签

The documentation is very easy to read and understand. https://github.com/bevacqua/insane

该文档非常易于阅读和理解。 https://github.com/bevacqua/insane