minisiwyg-editor

A sub-6kb WYSIWYG editor with built-in XSS protection. Try pasting HTML — including XSS payloads.

Type here, paste HTML, or use the toolbar. Try pasting <img src=x onerror=alert(1)> — the sanitizer will strip it.

Live HTML output

How to use

Install from npm:

npm install minisiwyg-editor

Editor + toolbar

import { createEditor } from 'minisiwyg-editor';
import { createToolbar } from 'minisiwyg-editor/toolbar';

const editor = createEditor(document.querySelector('#editor'), {
  onChange: (html) => console.log(html),
});

const toolbar = createToolbar(editor);
document.querySelector('#toolbar').appendChild(toolbar.element);

Standalone sanitizer

import { sanitize, DEFAULT_POLICY } from 'minisiwyg-editor/sanitize';

const dirty = '<p onclick="alert(1)">Hi <strong>there</strong></p>';
const clean = sanitize(dirty, DEFAULT_POLICY);
// → '<p>Hi <strong>there</strong></p>'

Full API docs, custom policies, and security model: README on GitHub.