Security News
New Proposed CISA Mandate Would Require Critical Infrastructure to Report Ransom Payments Within 24 Hours
CISA has proposed a set of new rules that would require critical infrastructure to report cyber incidents and ransom payments.
ember-purify
Advanced tools
Ember addon to help purify DOM content
Weekly downloads
Readme
When you need to render user provided HTML content but don't want to trust the user content with Ember's Ember.String.htmlSafe
or {{{ }}}
.
Uses DOMPurify to sanitize HTML & SVG. I strongly recommend you watch the video linked under the inspiration section. See XSS in action in Ember in this twiddle.
You can also run ember serve
to see the above mentioned approaches along with the purify-dom
helper. Inspect the DOM on all three broken images to see the difference.
ember install ember-purify
For templates,
{{purify-dom '<img src="missing-image.png" onerror=alert(1)//>'}}
will render
<img src="missing-image.png">
To use it in js,
import { sanitize } from 'dompurify';
Note that global config isn't applied to the functions imported in JS.
Details on DOMPurify, the underlying library can be found in its README
To configure the purify helper globally in your app's config/environment.js
,
ENV.APP.purify = {
// Refer to various config options in DOMPurify's README
};
In addition to the global configuration you can also pass the config to the helper which can either be merged to the global config(by default) or replaced(by passing overrideConfig=true)
{{purify-dom "<img src='google.com' data-something='dangerous'>" config=(hash ALLOW_DATA_ATTR=false) overrideConfig=true}}
Securing your EmberJS Application talk By Philippe De Ryck.
git clone <repository-url>
this repositorycd ember-purify
npm install
or yarn
ember serve
npm test
(Runs ember try:each
to test your addon against multiple Ember versions)ember test
ember test --server
ember build
For more information on using ember-cli, visit http://ember-cli.com/.
FAQs
Ember addon to help purify DOM content
The npm package ember-purify receives a total of 131 weekly downloads. As such, ember-purify popularity was classified as not popular.
We found that ember-purify demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
CISA has proposed a set of new rules that would require critical infrastructure to report cyber incidents and ransom payments.
Security News
Redis is no longer OSS, breaking its explicit commitment to remain under the BSD 3-Clause License forever. This has angered contributors who are now working to fork the software.
Product
Socket AI now enables 'AI detected potential malware' alerts by default, ensuring users benefit from AI-powered state-of-the-art malware detection without needing to opt-in.