moderator-toolbox-nxg-for-reddit / util/data/purify

util/data/purify

Functions

purify()

purify(input): string

Defined in: extension/data/util/data/purify.ts:31

Sanitizes an untrusted string and returns display-ready plain text. DOMPurify strips any dangerous markup; util/data/encoding!htmlDecode then converts the entity-encoded output back to literal characters, so values rendered as React text nodes or .textContent show < rather than &lt;. Values destined for dangerouslySetInnerHTML must use purifyHTML instead.

Parameters

input

string

Returns

string

purifyHTML()

purifyHTML(input): string

Defined in: extension/data/util/data/purify.ts:20

Sanitizes an untrusted string and returns sanitized HTML markup, suitable for dangerouslySetInnerHTML. This is the sink-side sanitizer: every dangerouslySetInnerHTML consumer of untrusted data should wrap its value here, so the decision “this becomes live markup” lives next to the sink rather than being inferred elsewhere.

Pass real markup. Locally rendered markdown already is. API fields that arrive entity-encoded (e.g. Reddit’s body_html) are decoded to real markup by purifyObject before they reach a sink, so DOMPurify actually inspects the tags. (Given raw entity-encoded input, DOMPurify would see only text and strip nothing - so never hand a sink an undecoded *_html field.)

Parameters

input

string

Returns

string

purifyObject()

purifyObject(input): void

Defined in: extension/data/util/data/purify.ts:48

Walks an object and sanitizes every string value, decoding each to display-ready plain text via purify. Strings that parse as JSON objects are decoded, sanitized in place, and re-serialized.

Every value is treated uniformly - the walker makes no per-key guesses about whether a field is later rendered as text or as HTML. The few consumers that render a field via dangerouslySetInnerHTML (e.g. Reddit’s body_html / selftext_html) re-sanitize it with purifyHTML at the sink; because the value arrives here as real (decoded) markup, that sink-side DOMPurify pass actually inspects the tags.

Parameters

input

any

Returns

void