hastscript
Advanced tools
Comparing version 5.1.0 to 5.1.1
| { | ||
| "name": "hastscript", | ||
| "version": "5.1.0", | ||
| "version": "5.1.1", | ||
| "description": "Hyperscript compatible DSL for creating virtual hast trees", | ||
@@ -18,2 +18,6 @@ "license": "MIT", | ||
| "bugs": "https://github.com/syntax-tree/hastscript/issues", | ||
| "funding": { | ||
| "type": "opencollective", | ||
| "url": "https://opencollective.com/unified" | ||
| }, | ||
| "author": "Titus Wormer <tituswormer@gmail.com> (https://wooorm.com)", | ||
@@ -32,4 +36,4 @@ "contributors": [ | ||
| "comma-separated-tokens": "^1.0.0", | ||
| "hast-util-parse-selector": "^2.2.0", | ||
| "property-information": "^5.0.1", | ||
| "hast-util-parse-selector": "^2.0.0", | ||
| "property-information": "^5.0.0", | ||
| "space-separated-tokens": "^1.0.0" | ||
@@ -41,8 +45,8 @@ }, | ||
| "prettier": "^1.0.0", | ||
| "remark-cli": "^6.0.0", | ||
| "remark-preset-wooorm": "^5.0.0", | ||
| "remark-cli": "^7.0.0", | ||
| "remark-preset-wooorm": "^6.0.0", | ||
| "svg-tag-names": "^2.0.0", | ||
| "tape": "^4.0.0", | ||
| "tinyify": "^2.0.0", | ||
| "xo": "^0.24.0" | ||
| "xo": "^0.25.0" | ||
| }, | ||
@@ -49,0 +53,0 @@ "scripts": { |
102
readme.md
@@ -13,5 +13,8 @@ # hastscript | ||
| Similar to [hyperscript][] (and [`virtual-hyperscript`][virtual-hyperscript]) | ||
| Similar to [`hyperscript`][hyperscript], [`virtual-dom/h`][virtual-hyperscript], | ||
| [`React.createElement`][react], and [Vue’s `createElement`][vue], | ||
| but for [**hast**][hast]. | ||
| Use [`unist-builder`][u] to create any [**unist**][unist] tree. | ||
| ## Install | ||
@@ -25,3 +28,3 @@ | ||
| ## Usage | ||
| ## Use | ||
@@ -154,2 +157,3 @@ ```js | ||
| and `s` to a `g` element. | ||
| `selector` is parsed by [`hast-util-parse-selector`][parse-selector]. | ||
@@ -169,2 +173,80 @@ ###### `properties` | ||
| ## Security | ||
| Use of `hastscript` can open you up to a [cross-site scripting (XSS)][xss] | ||
| attack as values are injected into the syntax tree. | ||
| The following example shows how a script is injected that runs when loaded in a | ||
| browser. | ||
| ```js | ||
| var tree = {type: 'root', children: []} | ||
| tree.children.push(h('script', 'alert(1)')) | ||
| ``` | ||
| Yields: | ||
| ```html | ||
| <script>alert(1)</script> | ||
| ``` | ||
| The following example shows how an image is injected that fails loading and | ||
| therefore runs code in a browser. | ||
| ```js | ||
| var tree = {type: 'root', children: []} | ||
| // Somehow someone injected these properties instead of an expected `src` and | ||
| // `alt`: | ||
| var otherProps = {src: 'x', onError: 'alert(2)'} | ||
| tree.children.push(h('img', {src: 'default.png', ...otherProps})) | ||
| ``` | ||
| Yields: | ||
| ```html | ||
| <img src="x" onerror="alert(2)"> | ||
| ``` | ||
| The following example shows how code can run in a browser because someone stored | ||
| an object in a database instead of the expected string. | ||
| ```js | ||
| var tree = {type: 'root', children: []} | ||
| // Somehow this isn’t the expected `'wooorm'`. | ||
| var username = { | ||
| type: 'element', | ||
| tagName: 'script', | ||
| children: [{type: 'text', value: 'alert(3)'}] | ||
| } | ||
| tree.children.push(h('span.handle', username)) | ||
| ``` | ||
| Yields: | ||
| ```html | ||
| <span class="handle"><script>alert(3)</script></span> | ||
| ``` | ||
| Either do not use user input in `hastscript` or use | ||
| [`hast-util-santize`][sanitize]. | ||
| ## Related | ||
| * [`unist-builder`](https://github.com/syntax-tree/unist-builder) | ||
| — Create any unist tree | ||
| * [`hast-to-hyperscript`](https://github.com/syntax-tree/hast-to-hyperscript) | ||
| — Convert a Node to React, Virtual DOM, Hyperscript, and more | ||
| * [`hast-util-from-dom`](https://github.com/syntax-tree/hast-util-from-dom) | ||
| — Transform a DOM tree to hast | ||
| * [`hast-util-select`](https://github.com/syntax-tree/hast-util-select) | ||
| — `querySelector`, `querySelectorAll`, and `matches` | ||
| * [`hast-util-to-html`](https://github.com/syntax-tree/hast-util-to-html) | ||
| — Stringify nodes to HTML | ||
| * [`hast-util-to-dom`](https://github.com/syntax-tree/hast-util-to-dom) | ||
| — Transform to a DOM tree | ||
| ## Contribute | ||
@@ -224,6 +306,12 @@ | ||
| [hyperscript]: https://github.com/dominictarr/hyperscript | ||
| [virtual-hyperscript]: https://github.com/Matt-Esch/virtual-dom/tree/master/virtual-hyperscript | ||
| [hyperscript]: https://github.com/dominictarr/hyperscript | ||
| [react]: https://reactjs.org/docs/glossary.html#react-elements | ||
| [vue]: https://vuejs.org/v2/guide/render-function.html#createElement-Arguments | ||
| [unist]: https://github.com/syntax-tree/unist | ||
| [tree]: https://github.com/syntax-tree/unist#tree | ||
@@ -236,1 +324,9 @@ | ||
| [text]: https://github.com/syntax-tree/hast#text | ||
| [u]: https://github.com/syntax-tree/unist-builder | ||
| [parse-selector]: https://github.com/syntax-tree/hast-util-parse-selector | ||
| [xss]: https://en.wikipedia.org/wiki/Cross-site_scripting | ||
| [sanitize]: https://github.com/syntax-tree/hast-util-sanitize |
No alert changes
Improved metrics
- Total package byte prevSize
- increased by19.49%
17250
- Number of lines in readme file
- increased by41.56%
327