Security News
How Threat Actors are Abusing GitHub’s File Upload Feature to Host Malware
GitHub is susceptible to a CDN flaw that allows attackers to host malware on any public repository.
@braintree/sanitize-url
Advanced tools
Package description
The @braintree/sanitize-url npm package is designed to help developers ensure that URLs are safe for use within their applications. It provides functionality to sanitize URLs, removing potentially malicious or harmful content. This can be particularly useful in preventing XSS (Cross-Site Scripting) attacks by ensuring that only safe and valid URLs are allowed.
Sanitize URLs
This feature allows you to sanitize a URL, ensuring it is safe to use. If the URL contains potentially harmful JavaScript or other malicious content, it is replaced with 'about:blank', indicating that the original URL was not safe. This is particularly useful for preventing XSS attacks.
"use strict";
const sanitizeUrl = require('@braintree/sanitize-url').sanitizeUrl;
let safeUrl = sanitizeUrl('javascript:alert(document.cookie)');
console.log(safeUrl); // 'about:blank'
safeUrl = sanitizeUrl('https://www.example.com');
console.log(safeUrl); // 'https://www.example.com'
While primarily focused on sanitizing HTML input to prevent XSS attacks, sanitize-html can also be used to sanitize URLs within HTML content. It offers a broader range of sanitization features compared to @braintree/sanitize-url, which is specifically focused on URLs.
DOMPurify is another library that can sanitize HTML and prevent XSS attacks. It can be used to sanitize URLs within the context of HTML content. DOMPurify provides a wide range of options for customization and is more focused on HTML content sanitization, whereas @braintree/sanitize-url is specifically tailored for URL sanitization.
xss-filters is a library designed to prevent XSS attacks through various filtering mechanisms, including URL filtering. It offers a suite of secure and context-aware escaping functions. Compared to @braintree/sanitize-url, xss-filters provides a broader approach to XSS prevention, including but not limited to URL sanitization.
Readme
npm install -S @braintree/sanitize-url
var sanitizeUrl = require("@braintree/sanitize-url").sanitizeUrl;
sanitizeUrl("https://example.com"); // 'https://example.com'
sanitizeUrl("http://example.com"); // 'http://example.com'
sanitizeUrl("www.example.com"); // 'www.example.com'
sanitizeUrl("mailto:hello@example.com"); // 'mailto:hello@example.com'
sanitizeUrl(
"https://example.com"
); // https://example.com
sanitizeUrl("javascript:alert(document.domain)"); // 'about:blank'
sanitizeUrl("jAvasCrIPT:alert(document.domain)"); // 'about:blank'
sanitizeUrl(decodeURIComponent("JaVaScRiP%0at:alert(document.domain)")); // 'about:blank'
// HTML encoded javascript:alert('XSS')
sanitizeUrl(
"javascript:alert('XSS')"
); // 'about:blank'
This library uses Vitest. All testing dependencies
will be installed upon npm install
and the test suite can be executed with
npm test
. Running the test suite will also run lint checks upon exiting.
npm test
To generate a coverage report, use npm run coverage
.
FAQs
A url sanitizer
The npm package @braintree/sanitize-url receives a total of 1,070,083 weekly downloads. As such, @braintree/sanitize-url popularity was classified as popular.
We found that @braintree/sanitize-url demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
GitHub is susceptible to a CDN flaw that allows attackers to host malware on any public repository.
Security News
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.
Research
Security News
The Socket Research team found this npm package includes code for collecting sensitive developer information, including your operating system username, Git username, and Git email.