anti - npm Package Compare versions

		@@ -49,4 +49,5 @@ /*
		this.Options = options \|\| {};
		// Set Default Serializer to true
		// Default options
		if(!this.Options.serialize) this.Options.serialize = true;
		if(!this.Options.wrapper) this.Options.wrapper = "<div class='anti'></div>";

		@@ -66,2 +67,3 @@ this.Parser = new ANTI_DOM_PARSER({
		/* Kills data attributes */
		/* v0.2: Allow for individual attribute filtering per block && value per property */
		this.ACCEPTABLE_BLOCK_ELEMENTS = ["#text", "a", "abbr", "acronym", "address", "article", "aside", "b", "bdi", "bdo", "big", "blockquote", "br", "caption", "center", "cite", "code", "colgroup", "dd", "del", "del", "dfn", "dir", "div", "dl", "dt", "em", "figcaption", "figure", "font", "footer", "h1", "h2", "h3", "h4", "h5", "h6", "header", "hgroup", "hr", "i", "img", "ins", "ins", "kbd", "label", "li", "map", "map", "mark", "menu", "nav", "ol", "p", "pre", "q", "rp", "rt", "ruby", "s", "samp", "section", "small", "span", "strike", "strong", "sub", "sup", "table", "tbody", "td", "tfoot", "th", "thead", "time", "tr", "tt", "u", "ul", "var"];
		@@ -71,2 +73,3 @@ this.ACCEPTABLE_SANITARY_ATTRIBUTES = ["abbr", "align", "alt", "axis", "bgcolor", "border", "cellpadding", "cellspacing", "class", "clear", "color", "cols", "colspan", "compact", "coords", "dir", "face", "headers", "height", "hreflang", "hspace", "ismap", "lang", "language", "nohref", "nowrap", "rel", "rev", "rows", "rowspan", "rules", "scope", "scrolling", "shape", "size", "span", "start", "summary", "tabindex", "target", "title", "type", "valign", "value", "vspace", "width"];
		this.ACCEPTABLE_UNSANITARY_ATTRIBUTES = ["background", "cite", "href", "longdesc", "src", "usemap", "style", "xlink:href"];
		/<EXPERIMENTAL>/
		/// - ------------ - ///
		@@ -77,2 +80,3 @@ /// - CSS SAFELIST - ///
		/// - ------------ - ///
		/</EXPERIMENTAL>/
		};
		@@ -86,6 +90,5 @@

		/* HTML xmlns tag is retained on the wrapper
		/* Enable customization of wrapper element */
		/* HTML xmlns tag is retained on the wrapper */
		// Wrapper element
		var WRAPPER = this.Parser.parseFromString("<div class='anti'></div>", "text/html").documentElement;
		var WRAPPER = this.Parser.parseFromString(this.Options.wrapper, "text/html").documentElement;
		// Browser Fix (Browsers wrap the element in an HTML parent)
		@@ -103,10 +106,3 @@ if (WRAPPER.nodeName.toLowerCase() === 'html') WRAPPER = (WRAPPER.childNodes[1])?WRAPPER.childNodes[1].childNodes[0]:WRAPPER;

		var e = (this.Options.serialize) ? this.Serializer.serializeToString(WRAPPER) : WRAPPER;

		ReturnAttributes.push(e);

		// Allows for Async/Sync calls
		/* implement async functionality to forEach loops */
		if ((callback) && (callback.constructor === Function)) callback.apply(null, ReturnAttributes);
		else return (ReturnAttributes.length > 1) ? ReturnAttributes : ReturnAttributes[0];
		return (this.Options.serialize) ? this.Serializer.serializeToString(WRAPPER) : WRAPPER;
		}
		@@ -142,7 +138,6 @@
		/* Improve performance and reduce resources */
		// Poor man's cache solution (bad for GC, I know)
		// Cache solution
		var EL_ATTRIBUTES_CACHE = [];
		var CLEANDOM = [];

		/* Implement async method */
		// Heavily recursive
		@@ -165,3 +160,3 @@ DIRTYDOM.forEach(function (node, index) {
		// If InlineCSS is enabled
		if(_this.Options.experimentalInlineCSS) node.setAttribute(attr.name, _this._parseInlineCSS(attr.value));
		if(_this.Options.experimentalInlineCSS && _this._parseInlineCSS) node.setAttribute(attr.name, _this._parseInlineCSS(attr.value));
		} else {
		@@ -190,2 +185,3 @@ node.setAttribute(attr.name, encodeURIComponent(attr.value));

		/<EXPERIMENTAL>/
		Anti.prototype._parseInlineCSS = function ANTI_CSS_INLINE(CSS_STRING, OUTPUT) {
		@@ -313,2 +309,3 @@ // PERFORMANCE COMPARISON OF CHAR SELECTION http://jsperf.com/charat-vs-regex-vs-prop/3 & LATER REVISIONS
		}
		/</EXPERIMENTAL>/

		@@ -315,0 +312,0 @@ // Helper functions (jQuery like)

package.json

		{
		"name": "anti",
		"version": "0.1.4",
		"version": "0.1.5",
		"description": "Anti is an XSS protection module.",
		@@ -8,3 +8,4 @@ "author": "Schahriar SaffarShargh <info@schahriar.com>\|www.schahriar.com",
		"scripts": {
		"test": "mocha ./tests/test.js"
		"test": "mocha ./tests/test.js",
		"prepublish": "gulp"
		},
		@@ -22,2 +23,3 @@ "repository": {
		"purge",
		"DOMParser",
		"anti"
		@@ -32,2 +34,5 @@ ],
		"chai": "^3.2.0",
		"gulp": "^3.9.0",
		"gulp-concat-util": "^0.5.2",
		"gulp-uglify": "^1.4.0",
		"mocha": "^2.3.0"
		@@ -34,0 +39,0 @@ },

README.md

		@@ -18,2 +18,22 @@ ![Anti](https://raw.githubusercontent.com/schahriar/anti/master/Anti.png)
		```
		#### > Browsers
		Anti includes full support for browsers. It does not use Regular Expressions (RegEx) but rather the browser's internal method DOMParser. Support for this method is approximately 97% of all browsers (http://caniuse.com/#feat=xml-serializer) and provides superior security compared to innerHTML method. You can include anti.js or anti.min.js from the build folder like so:
		```html
		...
		<body>
		...
		<script src="build/anti.min.js"></script>
		</body>
		```
		Or using [Browserify](http://browserify.org/)
		```javascript
		// Install (refer to installation)
		var Anti = require('anti');
		// Refer to Usage
		```
		Alternatively when using [Bower](http://bower.io/)
		```javascript
		bower install anti
		// Include bower_components/anti/build/anti.min.js
		```

		@@ -55,5 +75,9 @@ ## Filters
		```
		Options include:
		- serialize: Boolean(default: true) Returns a serialized/string DOM instead of a DOM Object
		- wrapper: String(default: "<div class='anti'></div>") A single wrapper element that wraps around the output
		- experimentalInlineCSS: Boolean(default: false) Allows for inline style parsing and filtering (!EXPERIMENTAL)

		## Experimental -> Inline CSS Parser
		This feature allows for filtering of inline CSS styles (e.g. style="font-size: 2px; color: red;"). You can enable this feature by passing { experimentalInlineCSS: true } options to the Anti constructor. Note that this method uses an internal parsing function with only one RegEx test to test for validity of url() values. The filter for this method is defined as ACCEPTABLE_CSS_PROPERTIES.
		To use experimental feature you'll need to include either anti.experimental.js or anti.experimental.min.js from the build folder. Note that experimental features are available by default in the NodeJS version. Inline CSS feature brings in a built in CSS parser and Url Validator. This feature allows for filtering of inline CSS styles (e.g. style="font-size: 2px; color: red;"). You can enable this feature by passing { experimentalInlineCSS: true } options to the Anti constructor. Note that this method uses an internal parsing function with only one RegEx test to test for validity of url() values. The filter for this method is defined as ACCEPTABLE_CSS_PROPERTIES.

		@@ -60,0 +84,0 @@ ## Disclaimer:

tests/test.js

		@@ -35,6 +35,5 @@ var fs = require("fs");
		it(test.name \|\| "Unknown", function(done){
		anti.parse(test.input(), function(result) {
		expect(result).to.be.equal(test.expects());
		done();
		})
		var result = anti.parse(test.input())
		expect(result).to.be.equal(test.expects());
		done();
		})
		@@ -41,0 +40,0 @@ })

LICENSE

Sorry, the diff of this file is not supported yet

New alerts

Improved metrics

Worsened metrics