Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
@18f/private-eye
Advanced tools
A JavaScript plugin to warn users about links to private pages. Places a :lock: icon next to any links with any URLs that you specify as private, and gives a warning message.
At 18F, this is used on public sites that contain links to internal content like private GitHub repositories or Google Docs. Rather than write two versions to redact those links, this allows us to publish new content and give a warning to both staff and external readers.
Compatible with modern browsers (IE 9+). No dependencies.
Private Eye can be included as a normal script on your page, exposing a PrivateEye
global.
<script src="private-eye.js" defer></script>
Private Eye supports CommonJS, and is thus compatible with Browserify, WebPack, etc.
Install the module.
npm install --save @18f/private-eye
Include in your application:
var PrivateEye = require('private-eye');
To get started using Private Eye, initialize PrivateEye
with an object
containing an ignoreUrls
property with a list of URLs to match.
document.addEventListener('DOMContentLoaded', function() {
new PrivateEye({
// list of URLs to match as substrings – can be full URLs, hostnames, etc.
ignoreUrls: [
'http://so.me/private/url',
'anoth.er',
// ...
]
});
}, false );
Private Eye supports custom messages for links. The examples below provide different ways to customize a URL's messaging from general to granular.
The default message given to links can be configured across all private urls by
passing in an option named defaultMessage
. This property is added to the
object passed into PrivateEye( { /*...*/ } );
.
document.addEventListener('DOMContentLoaded', function() {
new PrivateEye({
// Update the default message to a custom `string`.
defaultMessage: "This link is secured, please ensure you have the proper credentials to access it."
ignoreUrls: [
'http://so.me/private/url',
'anoth.er',
// ...
]
});
}, false );
In the example above, all URLs matched by ignoreURLs
will have the customized
defaultMessage
as the message the user sees when they hover over the link.
Custom messaging is supported on a per-URL basis as well. This is done by
passing an object in the ignoreUrls
array with a url
and message
property
for the URL to match and the message to display respectively.
document.addEventListener('DOMContentLoaded', function() {
new PrivateEye({
ignoreUrls: [
'http://so.me/private/url',
// Custom messages for individual URLs are passed in as an object.
{
url: 'anoth.er',
message: 'This is another link that may not be accessible to you without the proper credentials',
},
// ...
]
});
}, false );
In the example above, the URL matches for http://so.me/private/url
will have
the base default message. The URL matches for anoth.er
will have a specific
custom message for only those individual matches.
Custom messaging is supported on a per-element basis. If a title
attribute is
found on any matched anchor
, the default or custom messaging is never set on
the anchor
. The original title
attribute is left unmodified. This can be
used to customize individual anchor
elements on a more granular level.
// Set up for the plugin is the same as "Basic Usage" above.
document.addEventListener('DOMContentLoaded', function() {
new PrivateEye({
// list of URLs to match as substrings – can be full URLs, hostnames, etc.
ignoreUrls: [
'http://so.me/private/url',
'anoth.er',
// ...
]
});
}, false );
<!-- Base, or configured, default messaging for this link. -->
<a href="http://so.me/private/url">A private URL</a>
<!-- Granluar custom message for only this specific element. -->
<a href="http://so.me/private/url" title="This link is still private and you may not have access to it.">Another private URL</a>
In the example above, the customized message is set as a title
attribute on
one of the matched anchor
elements. The first match without a title
attribute will have the base default message. The second match with a title
attribute will have the custom message found in title
. This use case is
particularly useful if you HTML page already contains valuable messaging around
private URLs, or if you'd like to configure the messaging without the need of
using JavaScript.
To only add the private icon lock onto the a specfic section of the page, pass in a CSS selector via the wrapper
option.
document.addEventListener('DOMContentLoaded', function() {
new PrivateEye({
// using the wrapper propety on the opts object - here, limiting to links under a tag with a "private" class"
wrapper: '.private',
// list of URLs to match as substrings – can be full URLs, hostnames, etc.
ignoreUrls: [
'http://so.me/private/url',
'anoth.er',
// ...
]
});
}, false );
<div class="private">
<a href="http://so.me/private/url">A private URL that will get a lock</a>
</div>
<a href="http://so.me/private/url">A private URL that will not get a lock</a>
To get started developing, simply clone this repo and you're ready. Private Eye has no dependencies and does not have a build process. All code for Private Eye is located in private-eye.js
.
This project uses jest
for testing. First, run npm install
which will install jest. Tests can be run with npm test
or npm test:watch
to rerun tests when files change.
FAQs
A JavaScript plugin to warn users about links to private pages.
The npm package @18f/private-eye receives a total of 6 weekly downloads. As such, @18f/private-eye popularity was classified as not popular.
We found that @18f/private-eye demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.