hastscript
Advanced tools
Comparing version 5.1.0 to 5.1.1
{ | ||
"name": "hastscript", | ||
"version": "5.1.0", | ||
"version": "5.1.1", | ||
"description": "Hyperscript compatible DSL for creating virtual hast trees", | ||
@@ -18,2 +18,6 @@ "license": "MIT", | ||
"bugs": "https://github.com/syntax-tree/hastscript/issues", | ||
"funding": { | ||
"type": "opencollective", | ||
"url": "https://opencollective.com/unified" | ||
}, | ||
"author": "Titus Wormer <tituswormer@gmail.com> (https://wooorm.com)", | ||
@@ -32,4 +36,4 @@ "contributors": [ | ||
"comma-separated-tokens": "^1.0.0", | ||
"hast-util-parse-selector": "^2.2.0", | ||
"property-information": "^5.0.1", | ||
"hast-util-parse-selector": "^2.0.0", | ||
"property-information": "^5.0.0", | ||
"space-separated-tokens": "^1.0.0" | ||
@@ -41,8 +45,8 @@ }, | ||
"prettier": "^1.0.0", | ||
"remark-cli": "^6.0.0", | ||
"remark-preset-wooorm": "^5.0.0", | ||
"remark-cli": "^7.0.0", | ||
"remark-preset-wooorm": "^6.0.0", | ||
"svg-tag-names": "^2.0.0", | ||
"tape": "^4.0.0", | ||
"tinyify": "^2.0.0", | ||
"xo": "^0.24.0" | ||
"xo": "^0.25.0" | ||
}, | ||
@@ -49,0 +53,0 @@ "scripts": { |
102
readme.md
@@ -13,5 +13,8 @@ # hastscript | ||
Similar to [hyperscript][] (and [`virtual-hyperscript`][virtual-hyperscript]) | ||
Similar to [`hyperscript`][hyperscript], [`virtual-dom/h`][virtual-hyperscript], | ||
[`React.createElement`][react], and [Vue’s `createElement`][vue], | ||
but for [**hast**][hast]. | ||
Use [`unist-builder`][u] to create any [**unist**][unist] tree. | ||
## Install | ||
@@ -25,3 +28,3 @@ | ||
## Usage | ||
## Use | ||
@@ -154,2 +157,3 @@ ```js | ||
and `s` to a `g` element. | ||
`selector` is parsed by [`hast-util-parse-selector`][parse-selector]. | ||
@@ -169,2 +173,80 @@ ###### `properties` | ||
## Security | ||
Use of `hastscript` can open you up to a [cross-site scripting (XSS)][xss] | ||
attack as values are injected into the syntax tree. | ||
The following example shows how a script is injected that runs when loaded in a | ||
browser. | ||
```js | ||
var tree = {type: 'root', children: []} | ||
tree.children.push(h('script', 'alert(1)')) | ||
``` | ||
Yields: | ||
```html | ||
<script>alert(1)</script> | ||
``` | ||
The following example shows how an image is injected that fails loading and | ||
therefore runs code in a browser. | ||
```js | ||
var tree = {type: 'root', children: []} | ||
// Somehow someone injected these properties instead of an expected `src` and | ||
// `alt`: | ||
var otherProps = {src: 'x', onError: 'alert(2)'} | ||
tree.children.push(h('img', {src: 'default.png', ...otherProps})) | ||
``` | ||
Yields: | ||
```html | ||
<img src="x" onerror="alert(2)"> | ||
``` | ||
The following example shows how code can run in a browser because someone stored | ||
an object in a database instead of the expected string. | ||
```js | ||
var tree = {type: 'root', children: []} | ||
// Somehow this isn’t the expected `'wooorm'`. | ||
var username = { | ||
type: 'element', | ||
tagName: 'script', | ||
children: [{type: 'text', value: 'alert(3)'}] | ||
} | ||
tree.children.push(h('span.handle', username)) | ||
``` | ||
Yields: | ||
```html | ||
<span class="handle"><script>alert(3)</script></span> | ||
``` | ||
Either do not use user input in `hastscript` or use | ||
[`hast-util-santize`][sanitize]. | ||
## Related | ||
* [`unist-builder`](https://github.com/syntax-tree/unist-builder) | ||
— Create any unist tree | ||
* [`hast-to-hyperscript`](https://github.com/syntax-tree/hast-to-hyperscript) | ||
— Convert a Node to React, Virtual DOM, Hyperscript, and more | ||
* [`hast-util-from-dom`](https://github.com/syntax-tree/hast-util-from-dom) | ||
— Transform a DOM tree to hast | ||
* [`hast-util-select`](https://github.com/syntax-tree/hast-util-select) | ||
— `querySelector`, `querySelectorAll`, and `matches` | ||
* [`hast-util-to-html`](https://github.com/syntax-tree/hast-util-to-html) | ||
— Stringify nodes to HTML | ||
* [`hast-util-to-dom`](https://github.com/syntax-tree/hast-util-to-dom) | ||
— Transform to a DOM tree | ||
## Contribute | ||
@@ -224,6 +306,12 @@ | ||
[hyperscript]: https://github.com/dominictarr/hyperscript | ||
[virtual-hyperscript]: https://github.com/Matt-Esch/virtual-dom/tree/master/virtual-hyperscript | ||
[hyperscript]: https://github.com/dominictarr/hyperscript | ||
[react]: https://reactjs.org/docs/glossary.html#react-elements | ||
[vue]: https://vuejs.org/v2/guide/render-function.html#createElement-Arguments | ||
[unist]: https://github.com/syntax-tree/unist | ||
[tree]: https://github.com/syntax-tree/unist#tree | ||
@@ -236,1 +324,9 @@ | ||
[text]: https://github.com/syntax-tree/hast#text | ||
[u]: https://github.com/syntax-tree/unist-builder | ||
[parse-selector]: https://github.com/syntax-tree/hast-util-parse-selector | ||
[xss]: https://en.wikipedia.org/wiki/Cross-site_scripting | ||
[sanitize]: https://github.com/syntax-tree/hast-util-sanitize |
17250
327