nestingLimit option

CHANGELOG.md

@@ -1,5 +1,8 @@
 # Changelog
 
+## 2.0.0-rc.4 (2020-09-23):
+- `nestingLimit` option added.
+
 ## 2.0.0-rc.3 (2020-09-09):
 - Upgrade `is-plain-object` package with named export. Thanks to [Bogdan Chadkin](https://github.com/TrySound) for the contribution.
 

README.md

@@ -543,6 +543,16 @@ This will transform `<disallowed>content</disallowed>` to `&lt;disallowed&gt;con
 
 Valid values are: `'discard'` (default), `'escape'` (escape the tag) and `'recursiveEscape'` (to escape the tag and all its content).
 
+### Restricting deep nesting
+
+You can limit the depth of HTML tags in the document with the `nestingLimit` option:
+
+```javascript
+nestingLimit: 6
+```
+
+This will prevent the user from nesting tags more than 6 levels deep. Note that the rules for preserving text inside the nested tags are the same in this situation as they would be if the tags were not on the `allowedTags` list.
+
 ## About ApostropheCMS
 
 `sanitize-html` was created at [P'unk Avenue](https://punkave.com) for use in [ApostropheCMS](https://apostrophecms.com), an open-source content management system built on Node.js. If you like `sanitize-html` you should definitely check out ApostropheCMS.

index.js

@@ -12,7 +12,7 @@ const mediaTags = [
   'object', 'map', 'iframe', 'embed'
 ];
 // Tags that are inherently vulnerable to being used in XSS attacks.
-const vulnerableTags = ['script', 'style'];
+const vulnerableTags = [ 'script', 'style' ];
 
 function each(obj, cb) {
   if (obj) {
@@ -224,7 +224,7 @@ function sanitizeHtml(html, options, _recursing) {
         }
       }
 
-      if ((options.allowedTags && options.allowedTags.indexOf(name) === -1) || (options.disallowedTagsMode === 'recursiveEscape' && !isEmptyObject(skipMap))) {
+      if ((options.allowedTags && options.allowedTags.indexOf(name) === -1) || (options.disallowedTagsMode === 'recursiveEscape' && !isEmptyObject(skipMap)) || (options.nestingLimit != null && depth >= options.nestingLimit)) {
         skip = true;
         skipMap[depth] = true;
         if (options.disallowedTagsMode === 'discard') {
@@ -680,18 +680,18 @@ sanitizeHtml.defaults = {
   ],
   disallowedTagsMode: 'discard',
   allowedAttributes: {
-    a: ['href', 'name', 'target'],
+    a: [ 'href', 'name', 'target' ],
     // We don't currently allow img itself by default, but this
     // would make sense if we did. You could add srcset here,
     // and if you do the URL is checked for safety
-    img: ['src']
+    img: [ 'src' ]
   },
   // Lots of these won't come up by default because we don't allow them
-  selfClosing: ['img', 'br', 'hr', 'area', 'base', 'basefont', 'input', 'link', 'meta'],
+  selfClosing: [ 'img', 'br', 'hr', 'area', 'base', 'basefont', 'input', 'link', 'meta' ],
   // URL schemes we permit
-  allowedSchemes: ['http', 'https', 'ftp', 'mailto'],
+  allowedSchemes: [ 'http', 'https', 'ftp', 'mailto' ],
   allowedSchemesByTag: {},
-  allowedSchemesAppliedToAttributes: ['href', 'src', 'cite'],
+  allowedSchemesAppliedToAttributes: [ 'href', 'src', 'cite' ],
   allowProtocolRelative: true,
   enforceHtmlBoundary: false
 };

package.json

@@ -1,6 +1,6 @@
 {
   "name": "sanitize-html",
-  "version": "2.0.0-rc.2",
+  "version": "2.0.0-rc.3",
   "description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis",
   "sideEffects": false,
   "main": "index.js",