context-parser-handlebars
Advanced tools
Comparing version 2.0.0 to 2.0.1
{ | ||
"name": "context-parser-handlebars", | ||
"version": "2.0.0", | ||
"version": "2.0.1", | ||
"licenses": [ | ||
{ | ||
"type": "BSD", | ||
"url": "https://github.com/yahoo/context-parser-handlebars/blob/master/LICENSE" | ||
"url": "https://github.com/yahoo/secure-handlebars/blob/master/LICENSE" | ||
} | ||
@@ -23,16 +23,4 @@ ], | ||
"type": "git", | ||
"url": "git@github.com:yahoo/context-parser-handlebars.git" | ||
"url": "git@github.com:yahoo/secure-handlebars.git" | ||
}, | ||
"keywords": [ | ||
"xss", | ||
"security", | ||
"escape", | ||
"encode", | ||
"filter", | ||
"context", | ||
"html5", | ||
"handlebars", | ||
"parser", | ||
"precompiler" | ||
], | ||
"scripts": { | ||
@@ -62,5 +50,5 @@ "hint": "grunt jshint", | ||
"bugs": { | ||
"url": "https://github.com/yahoo/context-parser-handlebars/issues" | ||
"url": "https://github.com/yahoo/secure-handlebars/issues" | ||
}, | ||
"homepage": "https://github.com/yahoo/context-parser-handlebars", | ||
"homepage": "https://github.com/yahoo/secure-handlebars", | ||
"directories": { | ||
@@ -67,0 +55,0 @@ "test": "tests" |
Handlebars Context Pre-compiler | ||
=============================== | ||
This pre-compiler is to **automatically** conduct HTML 5 context analysis on Handlebars templates, and insert markup of XSS filtering helpers to output expressions based on their surrounding contexts. | ||
The resulted templates can then be further processed with the [vanilla Handlebars template engine](http://handlebarsjs.com). With the [context-sensitive helpers](https://www.npmjs.com/package/secure-handlebars-helpers) properly registered at runtime, the context-sensitive escaping will effectively defend against XSS attacks. | ||
This package is no longer maintained, and has been renamed to [secure-handlebars](https://www.npmjs.com/package/secure-handlebars). Please update the dependencysetting in your package.json file. | ||
## Quick Start | ||
### Server-side (as a CLI utility) | ||
Install the [context-parser-handlebars npm](https://www.npmjs.com/package/context-parser-handlebars) globally, so it can be used in any project. | ||
```sh | ||
npm install context-parser-handlebars -g | ||
``` | ||
Given a handlebars template file like so: | ||
```html | ||
<html><title>{{title}}</title></html> | ||
``` | ||
Run through the handlebars template file with our Handlebars Context Pre-compiler, and you can see that context-sensitive helpers are added to output expressions like so: | ||
```sh | ||
$ handlebarspc <handlebars template file> | ||
<html><title>{{{yd title}}}</title></html> | ||
``` | ||
The resulted pre-compiled template file is fully-compatible with the vanilla Handlebars. See [secure-handlebars-helpers](https://www.npmjs.com/package/secure-handlebars-helpers) on how to register the corresponding helpers on the client-side for context-sensitive filtering. | ||
Note: the default [context-insensitive HTML escaping](http://handlebarsjs.com/#html-escaping) by Handlebars is disabled with the raw {{{expression}}} to prevent redundant escaping. | ||
### Server-side (as a Node.js library) | ||
Analyze the HTML contexts of Handlebars templates on server-side. | ||
```javascript | ||
// create the precompiler | ||
var ContextParserPreCompiler = require("context-parser-handlebars"); | ||
var preCompiler = new ContextParserPreCompiler(); | ||
// given data stores a handlebars template as string | ||
var data = '<html><title>{{title}}</title></html>'; | ||
try { | ||
// analyze the HTML contexts | ||
// return a processed handlebars template with context-sensitive helpers added! | ||
// i.e., output is '<html><title>{{{yd title}}}</title></html>'; | ||
var output = preCompiler.analyzeContext(data); | ||
// ... | ||
} catch (err) { | ||
// ... | ||
} | ||
// ... | ||
``` | ||
## Development | ||
### How to test | ||
```sh | ||
npm test | ||
``` | ||
### Build | ||
[![Build Status](https://travis-ci.org/yahoo/context-parser-handlebars.svg?branch=master)](https://travis-ci.org/yahoo/context-parser-handlebars) | ||
### Known Limitations | ||
- Our approach involves only static analysis on the template files, and thus dynamic raw data that may alter the execution context on the rendered HTML will NOT be taken into account. | ||
- We handle the HTML specification only, and provide no support to the JavaScript and CSS contexts right now. | ||
- We now assume that {{>partial}} is always placed in the HTML Data context, and by itself will result in the same Data context after its binding (hence, in-state and out-state are both of data context). | ||
## License | ||
@@ -72,0 +7,0 @@ |
@@ -24,15 +24,15 @@ /* | ||
var filter = require('xss-filters')._privFilters; | ||
var filter = { | ||
FILTER_NOT_HANDLE: 'y', | ||
FILTER_DATA: 'yd', | ||
FILTER_COMMENT: 'yc', | ||
FILTER_ATTRIBUTE_VALUE_DOUBLE_QUOTED: 'yavd', | ||
FILTER_ATTRIBUTE_VALUE_SINGLE_QUOTED: 'yavs', | ||
FILTER_ATTRIBUTE_VALUE_UNQUOTED: 'yavu', | ||
FILTER_ENCODE_URI: 'yu', | ||
FILTER_ENCODE_URI_COMPONENT: 'yuc', | ||
FILTER_URI_SCHEME_BLACKLIST: 'yubl', | ||
FILTER_FULL_URI: 'yufull' | ||
}; | ||
filter.FILTER_NOT_HANDLE = "y"; | ||
filter.FILTER_DATA = "yd"; | ||
filter.FILTER_COMMENT = "yc"; | ||
filter.FILTER_ATTRIBUTE_VALUE_DOUBLE_QUOTED = "yavd"; | ||
filter.FILTER_ATTRIBUTE_VALUE_SINGLE_QUOTED = "yavs"; | ||
filter.FILTER_ATTRIBUTE_VALUE_UNQUOTED = "yavu"; | ||
filter.FILTER_ENCODE_URI = "yu"; | ||
filter.FILTER_ENCODE_URI_COMPONENT = "yuc"; | ||
filter.FILTER_URI_SCHEME_BLACKLIST = "yubl"; | ||
filter.FILTER_FULL_URI = "yufull"; | ||
// extracted from xss-filters | ||
@@ -783,6 +783,6 @@ /* | ||
if (ast.program.length > 0 && ast.inverse.length === 0) { | ||
debugBranch("_analyseBranchAst:["+r.lastStates[0].state+"/"+r.lastStates[0].state+"]"); | ||
debugBranch("_analyzeBranchAst:["+r.lastStates[0].state+"/"+r.lastStates[0].state+"]"); | ||
r.lastStates[1] = r.lastStates[0]; | ||
} else if (ast.program.length === 0 && ast.inverse.length > 0) { | ||
debugBranch("_analyseBranchAst:["+r.lastStates[1].state+"/"+r.lastStates[1].state+"]"); | ||
debugBranch("_analyzeBranchAst:["+r.lastStates[1].state+"/"+r.lastStates[1].state+"]"); | ||
r.lastStates[0] = r.lastStates[1]; | ||
@@ -792,4 +792,4 @@ } | ||
if (!this._deepCompareState(r.lastStates[0], r.lastStates[1])) { | ||
lineNo = this._countNewLineChar(input.slice(0, this._charNo)); | ||
msg = "[ERROR] ContextParserHandlebars: Parsing error! Inconsitent HTML5 state OR without close tag after conditional branches. Please fix your template! \n"; | ||
lineNo = this._countNewLineChar(r.output.slice(0, this._charNo)); | ||
msg = "[ERROR] ContextParserHandlebars: Parsing error! Inconsistent HTML5 state OR without close tag after conditional branches. Please fix your template! \n"; | ||
msg += "[ERROR] #if branch: " + programDebugOutput.slice(0, 50) + "...\n"; | ||
@@ -796,0 +796,0 @@ msg += "[ERROR] else branch: " + inverseDebugOutput.slice(0, 50) + "...\n"; |
Sorry, the diff of this file is too big to display
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
6189
360239
10
4