Socket
Socket
Sign inDemoInstall

@tramvai/safe-strings

Package Overview
Dependencies
Maintainers
3
Versions
25
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@tramvai/safe-strings - npm Package Compare versions

Comparing version 0.5.8 to 0.5.9

lib/encode.d.ts
lib/encode.es.js
lib/encode.js
lib/encodeForHTMLContext.d.ts
lib/encodeForHTMLContext.es.js
lib/encodeForHTMLContext.js
lib/encodeForJSContext.d.ts
lib/encodeForJSContext.es.js
lib/encodeForJSContext.js

3

lib/removeXss.d.ts

@@ -0,1 +1,4 @@

/**
* @deprecated cover a limited number of cases, use `encodeForHTMLContext` instead
*/
export declare const removeXss: (referrer?: string) => string;

3

lib/removeXss.es.js
import reduce from '@tinkoff/utils/array/reduce';
const xssPossibleTags = [/<link[^>]+>/gi, /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script\s*>/gi];
/**
* @deprecated cover a limited number of cases, use `encodeForHTMLContext` instead
*/
const removeXss = (referrer = '') => reduce((newReferrer, regexp) => newReferrer.replace(regexp, ''), referrer, xssPossibleTags);
export { removeXss };

3

lib/removeXss.js

@@ -12,4 +12,7 @@ 'use strict';

const xssPossibleTags = [/<link[^>]+>/gi, /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script\s*>/gi];
/**
* @deprecated cover a limited number of cases, use `encodeForHTMLContext` instead
*/
const removeXss = (referrer = '') => reduce__default["default"]((newReferrer, regexp) => newReferrer.replace(regexp, ''), referrer, xssPossibleTags);
exports.removeXss = removeXss;

3

lib/safeStringify.d.ts

@@ -0,1 +1,4 @@

/**
* Stringify object and encode possible XSS and breaking code symbols for insertion result into script tag
*/
export declare const safeStringify: (json: Record<string, any>) => string;

50

lib/safeStringify.es.js

@@ -1,52 +0,10 @@

// source https://github.com/preactjs/preact-render-to-string/blob/60075a5a7389d638d535c85f3706739e9ba932bc/src/util.js
// perf https://esbench.com/bench/5f88af6cb4632100a7dcd414
const ENCODED_ENTITIES = /[<\u2028\u2029]/;
import { encodeForJSContext } from './encodeForJSContext.es.js';
/**
* Stringify object to safe for evaluation json string
*
* @param {*} json
* @return {String} safe for evaluation json string
* @example
*
* safeStringify({ s:'test string' }) // => '{ "s":"test string" }'
* safeStringify({ s:'some\u2028 test\u2029' }) // => '{ "s": "some\\u2028 test\\u2029" }'
* Stringify object and encode possible XSS and breaking code symbols for insertion result into script tag
*/
function encodeEntities(str) {
// Skip all work for strings with no entities needing encoding:
if (str.length === 0 || ENCODED_ENTITIES.test(str) === false)
return str;
let last = 0;
let i = 0;
let out = '';
let ch = '';
// Seek forward in str until the next entity char:
for (; i < str.length; i++) {
switch (str.charCodeAt(i)) {
case 60: // <
ch = '\\u003C';
break;
case 8232: // u2028 symbol (line separator)
ch = '\\u2028';
break;
case 8233: // u2029 symbol (paragraph separator)
ch = '\\u2029';
break;
default:
continue;
}
// Append skipped/buffered characters and the encoded entity:
if (i !== last)
out += str.slice(last, i);
out += ch;
// Start the next seek/buffer after the entity's offset:
last = i + 1;
}
if (i !== last)
out += str.slice(last, i);
return out;
}
const safeStringify = (json) => {
return encodeEntities(JSON.stringify(json));
return encodeForJSContext(JSON.stringify(json));
};
export { safeStringify };

50

lib/safeStringify.js

@@ -5,53 +5,11 @@ 'use strict';

// source https://github.com/preactjs/preact-render-to-string/blob/60075a5a7389d638d535c85f3706739e9ba932bc/src/util.js
// perf https://esbench.com/bench/5f88af6cb4632100a7dcd414
const ENCODED_ENTITIES = /[<\u2028\u2029]/;
var encodeForJSContext = require('./encodeForJSContext.js');
/**
* Stringify object to safe for evaluation json string
*
* @param {*} json
* @return {String} safe for evaluation json string
* @example
*
* safeStringify({ s:'test string' }) // => '{ "s":"test string" }'
* safeStringify({ s:'some\u2028 test\u2029' }) // => '{ "s": "some\\u2028 test\\u2029" }'
* Stringify object and encode possible XSS and breaking code symbols for insertion result into script tag
*/
function encodeEntities(str) {
// Skip all work for strings with no entities needing encoding:
if (str.length === 0 || ENCODED_ENTITIES.test(str) === false)
return str;
let last = 0;
let i = 0;
let out = '';
let ch = '';
// Seek forward in str until the next entity char:
for (; i < str.length; i++) {
switch (str.charCodeAt(i)) {
case 60: // <
ch = '\\u003C';
break;
case 8232: // u2028 symbol (line separator)
ch = '\\u2028';
break;
case 8233: // u2029 symbol (paragraph separator)
ch = '\\u2029';
break;
default:
continue;
}
// Append skipped/buffered characters and the encoded entity:
if (i !== last)
out += str.slice(last, i);
out += ch;
// Start the next seek/buffer after the entity's offset:
last = i + 1;
}
if (i !== last)
out += str.slice(last, i);
return out;
}
const safeStringify = (json) => {
return encodeEntities(JSON.stringify(json));
return encodeForJSContext.encodeForJSContext(JSON.stringify(json));
};
exports.safeStringify = safeStringify;

3

lib/utils.d.ts

@@ -5,1 +5,4 @@ export * from './safeStringify';

export * from './removeXss';
export * from './encode';
export * from './encodeForHTMLContext';
export * from './encodeForJSContext';

3

lib/utils.es.js

@@ -5,1 +5,4 @@ export { safeStringify } from './safeStringify.es.js';

export { removeXss } from './removeXss.es.js';
export { encode } from './encode.es.js';
export { encodeForHTMLContext } from './encodeForHTMLContext.es.js';
export { encodeForJSContext } from './encodeForJSContext.es.js';

6

lib/utils.js

@@ -9,2 +9,5 @@ 'use strict';

var removeXss = require('./removeXss.js');
var encode = require('./encode.js');
var encodeForHTMLContext = require('./encodeForHTMLContext.js');
var encodeForJSContext = require('./encodeForJSContext.js');

@@ -17,1 +20,4 @@

exports.removeXss = removeXss.removeXss;
exports.encode = encode.encode;
exports.encodeForHTMLContext = encodeForHTMLContext.encodeForHTMLContext;
exports.encodeForJSContext = encodeForJSContext.encodeForJSContext;

2

package.json
{
"name": "@tramvai/safe-strings",
"version": "0.5.8",
"version": "0.5.9",
"description": "",

@@ -5,0 +5,0 @@ "main": "lib/utils.js",

12

README.md

@@ -17,4 +17,12 @@ # @tramvai/safe-strings

## `removeXss`
## Encoding
Removes possible xss strings
Set of utility functions for encoding, mostly for XSS protection
### `encodeForHTMLContext`
String encoding for HTML context - escapes all symbols with possible XSS attack - `<`, `>`, `&`, `'`, `"`
### `encodeForJSContext`
String encoding for JS context - escapes all symbols with possible XSS attack or breaking code - `<`, `>`, `/`, `\u2028`, `\u2029`
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc