@tramvai/safe-strings
Advanced tools
Comparing version 0.5.8 to 0.5.9
@@ -0,1 +1,4 @@ | ||
/** | ||
* @deprecated cover a limited number of cases, use `encodeForHTMLContext` instead | ||
*/ | ||
export declare const removeXss: (referrer?: string) => string; |
import reduce from '@tinkoff/utils/array/reduce'; | ||
const xssPossibleTags = [/<link[^>]+>/gi, /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script\s*>/gi]; | ||
/** | ||
* @deprecated cover a limited number of cases, use `encodeForHTMLContext` instead | ||
*/ | ||
const removeXss = (referrer = '') => reduce((newReferrer, regexp) => newReferrer.replace(regexp, ''), referrer, xssPossibleTags); | ||
export { removeXss }; |
@@ -12,4 +12,7 @@ 'use strict'; | ||
const xssPossibleTags = [/<link[^>]+>/gi, /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script\s*>/gi]; | ||
/** | ||
* @deprecated cover a limited number of cases, use `encodeForHTMLContext` instead | ||
*/ | ||
const removeXss = (referrer = '') => reduce__default["default"]((newReferrer, regexp) => newReferrer.replace(regexp, ''), referrer, xssPossibleTags); | ||
exports.removeXss = removeXss; |
@@ -0,1 +1,4 @@ | ||
/** | ||
* Stringify object and encode possible XSS and breaking code symbols for insertion result into script tag | ||
*/ | ||
export declare const safeStringify: (json: Record<string, any>) => string; |
@@ -1,52 +0,10 @@ | ||
// source https://github.com/preactjs/preact-render-to-string/blob/60075a5a7389d638d535c85f3706739e9ba932bc/src/util.js | ||
// perf https://esbench.com/bench/5f88af6cb4632100a7dcd414 | ||
const ENCODED_ENTITIES = /[<\u2028\u2029]/; | ||
import { encodeForJSContext } from './encodeForJSContext.es.js'; | ||
/** | ||
* Stringify object to safe for evaluation json string | ||
* | ||
* @param {*} json | ||
* @return {String} safe for evaluation json string | ||
* @example | ||
* | ||
* safeStringify({ s:'test string' }) // => '{ "s":"test string" }' | ||
* safeStringify({ s:'some\u2028 test\u2029' }) // => '{ "s": "some\\u2028 test\\u2029" }' | ||
* Stringify object and encode possible XSS and breaking code symbols for insertion result into script tag | ||
*/ | ||
function encodeEntities(str) { | ||
// Skip all work for strings with no entities needing encoding: | ||
if (str.length === 0 || ENCODED_ENTITIES.test(str) === false) | ||
return str; | ||
let last = 0; | ||
let i = 0; | ||
let out = ''; | ||
let ch = ''; | ||
// Seek forward in str until the next entity char: | ||
for (; i < str.length; i++) { | ||
switch (str.charCodeAt(i)) { | ||
case 60: // < | ||
ch = '\\u003C'; | ||
break; | ||
case 8232: // u2028 symbol (line separator) | ||
ch = '\\u2028'; | ||
break; | ||
case 8233: // u2029 symbol (paragraph separator) | ||
ch = '\\u2029'; | ||
break; | ||
default: | ||
continue; | ||
} | ||
// Append skipped/buffered characters and the encoded entity: | ||
if (i !== last) | ||
out += str.slice(last, i); | ||
out += ch; | ||
// Start the next seek/buffer after the entity's offset: | ||
last = i + 1; | ||
} | ||
if (i !== last) | ||
out += str.slice(last, i); | ||
return out; | ||
} | ||
const safeStringify = (json) => { | ||
return encodeEntities(JSON.stringify(json)); | ||
return encodeForJSContext(JSON.stringify(json)); | ||
}; | ||
export { safeStringify }; |
@@ -5,53 +5,11 @@ 'use strict'; | ||
// source https://github.com/preactjs/preact-render-to-string/blob/60075a5a7389d638d535c85f3706739e9ba932bc/src/util.js | ||
// perf https://esbench.com/bench/5f88af6cb4632100a7dcd414 | ||
const ENCODED_ENTITIES = /[<\u2028\u2029]/; | ||
var encodeForJSContext = require('./encodeForJSContext.js'); | ||
/** | ||
* Stringify object to safe for evaluation json string | ||
* | ||
* @param {*} json | ||
* @return {String} safe for evaluation json string | ||
* @example | ||
* | ||
* safeStringify({ s:'test string' }) // => '{ "s":"test string" }' | ||
* safeStringify({ s:'some\u2028 test\u2029' }) // => '{ "s": "some\\u2028 test\\u2029" }' | ||
* Stringify object and encode possible XSS and breaking code symbols for insertion result into script tag | ||
*/ | ||
function encodeEntities(str) { | ||
// Skip all work for strings with no entities needing encoding: | ||
if (str.length === 0 || ENCODED_ENTITIES.test(str) === false) | ||
return str; | ||
let last = 0; | ||
let i = 0; | ||
let out = ''; | ||
let ch = ''; | ||
// Seek forward in str until the next entity char: | ||
for (; i < str.length; i++) { | ||
switch (str.charCodeAt(i)) { | ||
case 60: // < | ||
ch = '\\u003C'; | ||
break; | ||
case 8232: // u2028 symbol (line separator) | ||
ch = '\\u2028'; | ||
break; | ||
case 8233: // u2029 symbol (paragraph separator) | ||
ch = '\\u2029'; | ||
break; | ||
default: | ||
continue; | ||
} | ||
// Append skipped/buffered characters and the encoded entity: | ||
if (i !== last) | ||
out += str.slice(last, i); | ||
out += ch; | ||
// Start the next seek/buffer after the entity's offset: | ||
last = i + 1; | ||
} | ||
if (i !== last) | ||
out += str.slice(last, i); | ||
return out; | ||
} | ||
const safeStringify = (json) => { | ||
return encodeEntities(JSON.stringify(json)); | ||
return encodeForJSContext.encodeForJSContext(JSON.stringify(json)); | ||
}; | ||
exports.safeStringify = safeStringify; |
@@ -5,1 +5,4 @@ export * from './safeStringify'; | ||
export * from './removeXss'; | ||
export * from './encode'; | ||
export * from './encodeForHTMLContext'; | ||
export * from './encodeForJSContext'; |
@@ -5,1 +5,4 @@ export { safeStringify } from './safeStringify.es.js'; | ||
export { removeXss } from './removeXss.es.js'; | ||
export { encode } from './encode.es.js'; | ||
export { encodeForHTMLContext } from './encodeForHTMLContext.es.js'; | ||
export { encodeForJSContext } from './encodeForJSContext.es.js'; |
@@ -9,2 +9,5 @@ 'use strict'; | ||
var removeXss = require('./removeXss.js'); | ||
var encode = require('./encode.js'); | ||
var encodeForHTMLContext = require('./encodeForHTMLContext.js'); | ||
var encodeForJSContext = require('./encodeForJSContext.js'); | ||
@@ -17,1 +20,4 @@ | ||
exports.removeXss = removeXss.removeXss; | ||
exports.encode = encode.encode; | ||
exports.encodeForHTMLContext = encodeForHTMLContext.encodeForHTMLContext; | ||
exports.encodeForJSContext = encodeForJSContext.encodeForJSContext; |
{ | ||
"name": "@tramvai/safe-strings", | ||
"version": "0.5.8", | ||
"version": "0.5.9", | ||
"description": "", | ||
@@ -5,0 +5,0 @@ "main": "lib/utils.js", |
@@ -17,4 +17,12 @@ # @tramvai/safe-strings | ||
## `removeXss` | ||
## Encoding | ||
Removes possible xss strings | ||
Set of utility functions for encoding, mostly for XSS protection | ||
### `encodeForHTMLContext` | ||
String encoding for HTML context - escapes all symbols with possible XSS attack - `<`, `>`, `&`, `'`, `"` | ||
### `encodeForJSContext` | ||
String encoding for JS context - escapes all symbols with possible XSS attack or breaking code - `<`, `>`, `/`, `\u2028`, `\u2029` |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Unpopular package
QualityThis package is not very popular.
Found 1 instance in 1 package
13673
1792
26
327
0
28
1