Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent parse of invalid html tags #124

Closed
nicoleCamoro opened this issue Oct 3, 2019 · 2 comments
Closed

Prevent parse of invalid html tags #124

nicoleCamoro opened this issue Oct 3, 2019 · 2 comments
Labels
question Further information is requested

Comments

@nicoleCamoro
Copy link

nicoleCamoro commented Oct 3, 2019
edited by remarkablemark
Loading

Expected Behavior

Parser should ignore invalid html "tags".

Actual Behavior

I receive this error in the console :
DOMException: Failed to execute 'createElement' on 'Document': The tag name provided ('[email protected]') is not a valid name.

Steps to Reproduce

I'm parsing an email body and one of it's contents has this format: <an,[email protected]>

var parse = require('html-react-parser');
parse("<p><[email protected]></p>");

Environment

  • Version: 0.6.4
  • Platform: Windows 10
  • Browser: Google Chrome 77.0.3865.90
@remarkablemark
Copy link
Owner

remarkablemark commented Oct 4, 2019
edited
Loading

Thanks for opening the issue @nicoleCamoro!

The error you get when trying to render an invalid tag is expected (see fiddle).

html-react-parser (or the dependency html-dom-parser, to be exact) does not handle sanitizing HTML markup. The reasons are:

  1. It's beyond the scope of what this parser does (see Unix philosophy),
  2. Sanitization adds additional complexity and bloat to the package,
  3. There are already packages that do a great job sanitizing HTML so there's no reason to reinvent the wheel, right?

So this leads to my follow-up question, which is are you able to use an HTML sanitization library? (I.e., sanitize-html or dompurify.)

I created a Repl.it that uses sanitize-html to sanitize your example. There's also a Repl.it that uses dompurify to sanitize HTML (see #94).

Let me know if this helps answer your question.

@remarkablemark remarkablemark added the question Further information is requested label Oct 4, 2019
@nicoleCamoro
Copy link
Author

Oh I'm sorry I missed that. Your answer definitely helps. Thanks!

remarkablemark added a commit that referenced this issue Oct 9, 2019
@remarkablemark
docs(readme): update FAQ that parser doesn't do HTML sanitization
78cc9b3 
See #124
@remarkablemark remarkablemark mentioned this issue Oct 19, 2019
Closed
This was referenced May 29, 2020
Closed
Closed
@remarkablemark remarkablemark mentioned this issue Dec 12, 2020
Closed
@ayshiff ayshiff mentioned this issue Feb 22, 2021
Closed
@maxgfr maxgfr mentioned this issue Nov 23, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@remarkablemark @nicoleCamoro