express-secure-handlebars
Advanced tools
Readme
We enhance the ExpressHandlebars server-side view engine by automatically applying Context-aware XSS output filters to better secure your web applications.
express-handlebars with express-secure-handlebars (i.e., to update those require() calls as well as the dependency in your package.json). The nitty-gritties of filter choices and integrations are all automated!$ npm install express-secure-handlebars --save
Simply replace express-handlebars with the express-secure-handlebars package in all require()!
Based on the basic example of ExpressHandlebars, here we show an example app that can be secured only with our package.
views/profile.handlebars:
Given that there is a very typical handlebars template file written like so to incorporate user inputs. The enhanced package can secure the web application by automatically applying context-sensitive output filters, which otherwise is still subject to XSS attacks if using the default escaping approach (e.g., when url is javascript:alert(1) or onclick=alert(1)).
<h1>Example App: {{title}}</h1>
...
<div>User-provided URL: <a href="{{url}}">{{url}}</a></div>
...
views/layouts/main.handlebars:
Same as the Handlebars original example, this file serves as the HTML page wrapper which can be reused for the different views of the app. {{{body}}} is used as a placeholder for where the main content should be rendered.
<!DOCTYPE html>
<html>
<head><meta charset="utf-8"><title>{{title}}</title></head>
<body>
{{{body}}}
</body>
</html>
app.js:
A super simple Express app that registers the Handlebars view engine.
var express = require('express'),
// The only difference is to replace 'express-handlebars' with our enhanced package.
// exphbs = require('express-handlebars');
exphbs = require('express-secure-handlebars');
var app = express(),
hbs = exphbs.create({ /* config */ });
app.engine('handlebars', hbs.engine);
app.set('view engine', 'handlebars');
app.use('/profile', function (req, res) {
res.render('profile', {
title: 'User Profile',
url: req.query.url // an untrusted user input
});
});
app.listen(3000);
Apply your changes to files in src/, and then run the tests.
$ npm test
This software is free to use under the Yahoo Inc. BSD license. See the LICENSE file for license text and copyright information.
FAQs
Secure Express/Handlebars with Context Parser
The npm package express-secure-handlebars receives a total of 1 weekly downloads. As such, express-secure-handlebars popularity was classified as not popular.
We found that express-secure-handlebars demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
The White House is addressing fragmented cybersecurity regulations as CISOs report spending up to 50% of their time on compliance, aiming to harmonize requirements and improve cybersecurity outcomes.
Security News
Research
The Socket Research Team has identified a malicious Python package that is typosquatting the popular crytic-compile utility, frequently used in popular toolkits and development environments for smart contracts and crypto applications.
Security News
NIST updates on the NVD backlog after media reports that over 50% of KEVs were unenriched since mid-February. They've contracted additional support and partnered with CISA to clear the backlog by fiscal year-end.