Remove every html tag with JsHtmlSanitizer

Question

I finnally got the JsHtmlSanitizer working as a standalone clientside script. Now I'd like to remove all HTML-Tags from a string and not just script-tags and links. This example

html_sanitize('<b>hello</b><img src="http://google.com"><a href="javascript:alert(0)"><script src="http://www.google.com"><\/script>');

returns "hello" but I'd like to remove all tags.

At that point, why not just treat it as an XML document and get the innerText? — Waleed Khan, Dec 25 '12 at 12:03
I want to implement a live-preview with bb-code in a programm I'm currently working on. So first I want to remove all HTML-Tags and then convert the BB-Code to HTML — John Doe, Dec 25 '12 at 12:14
So why not just treat it as an XML document and get the innerText? — Waleed Khan, Dec 25 '12 at 12:15
@JohnDoe: Take a look http://jsfiddle.net/tarabyte/UeVgA/3/. You can convert input string to Document. And traverse it to get text nodes or whatever you like. — Yury Tarabanko, Dec 27 '12 at 20:34
@YuryTarabanko why not just use frag.innerText after you add html to sandbox instead of parse dom tree? — anton_byrna, Dec 27 '12 at 22:37
@anton_byrna: I've copied `getText` from sizzle (there is a note about it). `// innerText usage removed for consistency of new lines (see #11153)` http://bugs.jquery.com/ticket/11153 — Yury Tarabanko, Dec 27 '12 at 22:45

score 0 · Accepted Answer · answered Dec 28 '12 at 07:54

Why not use regular expressions to remove all HTML tags after sanitizing?

var input = '<b>hello</b><img src="http://google.com"><a href="javascript:alert(0)"><script src="http://www.google.com"></script>';
var output = null;
output = html_sanitize(input);
output = output.replace(/<[^>]+>/g, '');

This should strip your input string of all html tags after sanitization.

If you want to do just basic sanitization (removing script and style tags with their content and all html tags only) you could implement the entire thing within regex. I have demonstrated an example below.

var input = '<b>hello</b><img src="http://google.com"><a href="javascript:alert(0)"><script src="http://www.google.com"></script>';
input += '<script> if (1 < 2) { alert("This script should be removed!"); } </script><style type="text/css">.cssSelectorShouldBeRemoved > .includingThis { background-color: #FF0000; } </style>';

var output = null;
output = input.replace(/(?:<(?:script|style)[^>]*>[\s\S]+?<\/(?:script|style)[^>]*>)|<[^>]+>/ig, '');

Don't you know that there's a bot that crawls SO for answers containing "regular expressions" and "HTML", and auto-posts this link as a comment: http://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags — user123444555621, Dec 28 '12 at 08:01

score 0 · Answer 2 · answered Dec 28 '12 at 10:56

Use this javascript function below to remove all html tags from the string you get from html_sanitize().

var output = html_sanitize('<b>hello</b><img src="http://google.com"><a href="javascript:alert(0)"><script src="http://www.google.com"><\/script>');

output = output.replace(/(<.*?>)/ig,"");

Hope it helps :)

Remove every html tag with JsHtmlSanitizer

2 Answers2