Important: This documentation covers Yarn 1 (Classic).
For Yarn 2+ docs and migration guide, see yarnpkg.com.

Package detail

inject-stylesheet

braintree1.2mMIT6.0.2TypeScript support: included

Create a style element with CSS properties, filtering input using a allowlist or blocklist

readme

inject-stylesheet

This library takes a blocklist (or allowlist) of CSS properties and sanitizes for known CSS exploits.

API

Where mentioned, styles is an object with its keys being CSS selectors and values being CSS property key-value pairs.

var stylesheet = injectStylesheet.injectWithBlocklist(styles [, blocklist]);
var stylesheet = injectStylesheet.injectWithAllowlist(styles [, allowlist]);

After usage, stylesheet will refer to the <style> tag that was injected into the <head> of the document.

var injectStylesheet = require("inject-stylesheet");
var styles = {
  input: {
    "font-size": "16pt",
    color: "#3A3A3A",
  },
  ".invalid": {
    color: "tomato",
  },
  "@media screen and (max-width: 700px)": {
    input: {
      "font-size": "14pt",
    },
  },
};
var allowlist = ["font-size", "color"];
var blocklist = ["background", "display"];

injectStylesheet.injectWithBlocklist(styles, blocklist);
injectStylesheet.injectWithAllowlist(styles, allowlist);

Sanitization

Selectors

Selectors are filtered for things such as {}, @import, etc.

Keys

Keys are filtered based on whether or not a blocklist or allowlist was given. injectStylesheet will assume that its second parameter is a blocklist unless the third parameter is true, which will designate it as a allowlist. This listing is used to filter the given CSS properties for exclusion or inclusion.

Values

Values are checked against usages of url(), evaluate(), and other potentially abused and powerful CSS functions.

Browser Support

All modern browsers, and IE9+

changelog

CHANGELOG

6.0.2

  • Update (sub-)dependencies
    • cross-spawn to 7.0.6
    • micromatch to 4.0.8

6.0.1

  • Updates braces to 3.0.3

6.0.0

  • Update to node v18

  • Dev Dependency Updates

    • Update to TypeScript 5
    • Update prettier to next major version
    • Update eslint-plugin-prettier to next major version
    • Other minor dependency updates

5.0.0

  • Patch exploit where additional CSS rules could be inserted by appending them to a rule's value with &, < or >

Breaking Changes

  • No longer allow \ in values for CSS rules
  • No longer allow < or > in values for CSS rules

4.0.0

Breaking Changes

  • Ignore DOMException errors when calling insertRule while inserting stylesheet

3.0.0

  • Add typescript types

Breaking Changes

  • drop IE8 support
  • Throw any errors that are not SyntaxError when calling insertRule while inserting stylesheet

2.0.0

Breaking Changes

  • change injectWithBlacklist to injectWithBlocklist
  • change injectWithWhitelist to injectWithAllowlist

1.0.0

  • Initial release