Marksafe is a simple and pragmatic library for allowing user-generated content in a web application. It is an alternative to makdown which already guarantees safety of generated markup without the need for HTML sanitizers.
Marksafe is almost like regular HTML but maintains an allow-list of tag and attribute names. These can be easily modified to suit particular situations.
Due to how marksafe functions, you have to run it in the browser. But fear not because this is a tiny library that weighs in at only 5kb unminified.
npm i marksafe
import { Marksafe } from "marksafe"
import { Marksafe } from ""
<section id="ms">
This is escaped Marksafe text. "h1" tag is allowed
This is the first paragraph. "p" tag is allowed
Links like [a]href=,,this[/a] can be present.
Images like [img]src=,,alt=marksafe logo[/img] can also be present.
... Many more tags are allowed
Althogh [b]section[/b] tag is allowed, this will not parse because the whole marksafe content is inside a [b]section[/b]. As a result, parts of the section outside the internal nodes will appear as [b]text[/b] nodes in the generated markup instead of being part of an output [b]section[/b] node.
End of marksafe content
// Marksafe.tags.add('footer'); // we can trivially add/remove allowed tags, but this line is no longer needed since `footer` is allowed by default.
The above example already shows everything you need to know about using marksafe. These are the points to note:
- Use marksafe in the browser.
- Marksafe is just html with the angle brackets
(< and >)
replaced with square brackets([ and ])
. - Every HTML thing (like quotes) should be escaped. Just escape the whole marksafe code as untrusted HTML.
- Marksafe v2 now supports an allow-list of attribute names. Place the attributes in the content area separated by `Marksafe.attrSep (',,' by default). Use the same separator to separate the attributes from the actual content as shown in the example. If the final element only has attributes, the content you enter in marksafe code should end with the separator.
- Marksafe v2 also now supports a shorthand syntax to reduce boilerplate, also seen in the example with the 4
tags written like a single one. - Put the whole marksafe code inside any element that is not present within the marksafe code. For example if you put marksafe inside a
, anydivs
inside the marksafe code will render as simple text nodes. - Just call
with the containing element as the sole argument. The previously escaped textContent inside the element becomes innerHTML instead. - To learn more you can read the API docs or the source code which is 115 lines. You can easily modify the allow-list of tags and attributes or even extend the Marksafe class to further customise Marksafe according to your needs.
Cheers and kindly share and promote this. You can also sponsor me on GitHub. It's important...