A React component for rendering HTML safely. An alternative to dangerouslySetInnerHTML.
The allowed HTML elements and attributes is a direct port of the WordPress wp_kses_post()
attributes found here: https://core.trac.wordpress.org/browser/trunk/src/wp-includes/kses.php
Instead of using the unsanitized dangerouslySetInnerHTML
:
export default function SinglePost({ post }) {
const { title, content } = post;
return (
<article className="blog-post">
<h1>{title}</h1>
<div dangerouslySetInnerHTML={{ __html: content }} />
</article>
);
}
Use safeHTML
in it's place:
import SafeHTML from 'react-safehtml';
export default function SinglePost({ post }) {
const { title, content } = post;
return (
<article className="blog-post">
<h1>{title}</h1>
<div>
{SafeHTML(content)}
</div>
</article>
);
}
content {string}
- The HTML content to be sanitized.allowedTags {array}
- Array of allowed HTML tags.allowedAtts {object}
- Object containing arrays of allowed attributes for each tag.
// Allow only anchor links
const allowedTags = [ 'a' ];
// Allow only href and target attributes
const allowedAtts = { a: [ 'href', 'target' ] };
return SafeHTML( content, allowedTags, allowedAtts );