Project: micromark/micromark

Package: micromark-util-sanitize-uri@1.1.0

  1. Dependents: 0
  2. micromark utility to sanitize urls
  1. util 145
  2. utility 141
  3. micromark 37
  4. url 13
  5. sanitize 3


Build Coverage Downloads Size Sponsors Backers Chat

micromark utility to sanitize urls.


What is this?

This package exposes an algorithm to make URLs safe.

When should I use this?

This package might be useful when you are making your own micromark extensions.


This package is ESM only. In Node.js (version 16+), install with npm:

npm install micromark-util-sanitize-uri

In Deno with esm.sh:

import {sanitizeUri} from 'https://esm.sh/micromark-util-sanitize-uri@1'

In browsers with esm.sh:

<script type="module">
  import {sanitizeUri} from 'https://esm.sh/micromark-util-sanitize-uri@1?bundle'


import {sanitizeUri} from 'micromark-util-sanitize-uri'

sanitizeUri('https://example.com/a&amp;b') // 'https://example.com/a&amp;amp;b'
sanitizeUri('https://example.com/a%b') // 'https://example.com/a%25b'
sanitizeUri('https://example.com/a%20b') // 'https://example.com/a%20b'
sanitizeUri('https://example.com/👍') // 'https://example.com/%F0%9F%91%8D'
sanitizeUri('https://example.com/', /^https?$/i) // 'https://example.com/'
sanitizeUri('javascript:alert(1)', /^https?$/i) // ''
sanitizeUri('./example.jpg', /^https?$/i) // './example.jpg'
sanitizeUri('#a', /^https?$/i) // '#a'


This module exports the identifiers normalizeUri and sanitizeUri. There is no default export.


Normalize a URL.

Encode unsafe characters with percent-encoding, skipping already encoded sequences.


Normalized URI (string).

sanitizeUri(url[, pattern])

Make a value safe for injection as a URL.

This encodes unsafe characters with percent-encoding and skips already encoded sequences (see normalizeUri). Further unsafe characters are encoded as character references (see micromark-util-encode).

A regex of allowed protocols can be given, in which case the URL is sanitized. For example, /^(https?|ircs?|mailto|xmpp)$/i can be used for a[href], or /^https?$/i for img[src] (this is what github.com allows). If the URL includes an unknown protocol (one not matched by protocol, such as a dangerous example, javascript:), the value is ignored.


Sanitized URI (string).


This package is fully typed with TypeScript. It exports no additional types.


Projects maintained by the unified collective are compatible with maintained versions of Node.js.

When we cut a new major release, we drop support for unmaintained versions of Node. This means we try to keep the current release line, micromark-util-sanitize-uri@^2, compatible with Node.js 16. This package works with micromark@^3.


This package is safe. See security.md in micromark/.github for how to submit a security report.


See contributing.md in micromark/.github for ways to get started. See support.md for ways to get help.

This project has a code of conduct. By interacting with this repository, organisation, or community you agree to abide by its terms.


MIT © Titus Wormer