After seeing the name "sanitize-filename", I thought that the library was going to output a name that is considered to be safe (secure) for use a filename. After reviewing the code, I concluded otherwise.

For example, .. is returned as .., which is not suitable for most I/O-related operations (imagine: creating a new "temporary" directory/file, then removing the temporary directory with rimraf. Oops, now you've lost much more than the temporary directory/file). Besides this obvious case, there are several other constraints outlined at https://msdn.microsoft.com/en-us/library/aa365247.aspx.

This could be fixed in several ways, including but not limited to:

• Return an empty string if the filename is insecure (then callers can use sanitize(filename) || 'defaultname' if they want to).
• Add a prefix / suffix if the filename is insecure.

As the title suggests: It would be great if this was usable with the import/export syntax.

At least my IDE is complaining:

import * as sanitize from 'sanitize-filename';

This module can only be referenced with ECMAScript imports/exports by turning on the 'esModuleInterop' flag and referencing its default export.

When streaming a filename with a \u202f character using express.js, it throws an error when setting the Content-Disposition header:

// throws ERR_INVALID_CHAR
res.setHeader(
    'Content-Disposition',
    'attachment; filename="example\u202f.txt"',
);

After sanitizing a string with the \u202f character, it is still present in the string. Should it get sanitized by sanitize-filename or is that expected?

AFAICT, the way which sanitize is exported isn't ideal:

https://github.com/parshap/node-sanitize-filename/blob/master/index.d.ts#L8

export = sanitize;

When I try to reference it using a standard Typescript import statement,

I get these two errors:

'sanitize' can only be imported by using 'import sanitize = require(\"sanitize-filename\")' or by turning on the 'esModuleInterop' flag and using a default import.
`This module can only be referenced with ECMAScript imports/exports by turning on the 'esModuleInterop' flag and referencing its default export.

As far as I can tell, this might be resolved changing export=sanitize to export sanitize.

ref: https://stackoverflow.com/questions/68785926/this-module-can-only-be-referenced-with-ecmascript-imports-exports-by-turning-on

Is this package safe to use in a browser environment? By the name I was a bit worried (node-sanitize-filename) but it doesn't seem any of the deps are node dependent and, after double checking my webpack bundles, it doesn't seem like library size is an issue (minimized it added only about 2kb to my output). I also read through the code and don't see it using any node built-ins like path or fs.

Just wanted to check before using in a SPA so I don't run into any surprises. Also, if it's not node dependent, and you don't foresee it being so in the future, maybe it's worth renaming the package to just "sanitize-filename" so other folks don't get tripped up by that? I could see this package being useful in a variety of applications both front-end and back-end. There's a lot of questions on stack overflow pertaining to this (which is fact how I came here) and it would be nice to depend on a small package like this that's actively maintained instead of just copying and pasting regexes.

var sanitizeFilename = require("sanitize-filename")
sanitizeFilename('../test')

returns..
"..test"

In the README it says
sanitize-filename removes the following: Unix reserved filenames (. and ..)

Is the correct behavior?

I don't know why anyone would want to pass illegal/unsafe characters as the replacement but is it worthwhile to validate it?

some apps (I ran into DropBox specifically) only support characters within the BMP range. (emoji are outside the BMP range)

Is it an option to provide this limit?

This package is blocked my office antivirus. Could you add vendor folder to .npmignore?

Can you drop these in as filenames and verify they are never rejected?

Example:

sanitize('long-filename.tar.gz', { extension: '.tar.gz' })

This should truncate the filename while preserving the extension.

Hello, I am using this library to sanitize my file names. While developing the application in dev environment I didn't have any problems. After I build the .exe and installed on the one of the prod pc and tried to use it the application crashed and in my dev tools tab got this error - "Uncaught ReferenceError: Buffer is not defined". The problem causes only in electron application,

Stack- React/Typescript/Mobx/Webpack/Electron

probably should sanitize them out too

Currently given strings are sanitized against all known file systems' requirements. It would be nice to allow the user to specify the file system they need to protect against.

See discussion in #9.

Different operating systems and different filesystems have different rules about what is a valid filename. We could let the user pass in a "target" system (e.g., "windows", or "fat32") and only sanitize against that system's rule.

That said, I think the default behavior should still be to sanitize against all systems. It seems like a safe default for users that don't bother to look at the options. It also handles the common use case of naming files that will be shared across systems (e.g., files served via http).

If last path name is number, sanitize make error. if your filename compose with only number like '//user/fish/888', sanitize function prameter 'input' is number. so input.replace happen exception

Hey there 👋

Our bot, Adaptly, found that 10 out of 10 currently open dependency update PRs can be merged.
That's 100% right there:

🔎   How does Adaptly know this?

✨ Try Adaptly yourself

Instead of removing all illegal characters. Some can be replaced by alternatives, for example:

• * --> ∗
• ' --> ＇
• " --> ＂

Is this a good idea?

If a file name that is being sanitized begins with ./ ,the forward slash will be removed but the period will stay to create a hidden system file.

put comma in illegalRe to sanitize file name. It will be help full while setting the contentDisposition header with filename.

setHeader('Content-disposition', 'attachment;filename=' + sanitizedFileName);

Hi, I'm using the module for sanitizing file names for downloaded video files, and process those files later on using FFmpeg. The problem is, your module deems a ' as safe, but it will cause an error if used with FFmpeg.
There might be workarounds for that, or I could manually remove '-characters, but I'd prefer if you could offer us the option to specify our own reserved characters, either in addition to the existing ones or as a replacement to them.

For example, have and option to call sanitize.(<input>, {invalid: ["'"], replacement: "_"} and have it replace everything it already replaces, but also '.

This shouldn't be too much work but I think it would be very useful!

Looks awesome but would be great to have typescript typings too..

Hello,

This module is super useful :-)
I was wondering if you considered throwing an error if the path appeared to be invalid? Or to expose a function to validate if the path is safe?

Thank you for your answer :-)

• If a file contains only illegal characters, it should be defaulted to something, perhaps "file"
• If a file contains an illegal name before the last period (i.e. extension), it should be defaulted to something, perhaps "file.extension"

Similarly to stripping out unix-reserved filenames, shouldn't this also handle windows reserved filenames? Ref