Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
html_codesniffer
Advanced tools
HTML_CodeSniffer is a client-side JavaScript that checks a HTML document or source code, and detects violations of a defined coding standard.
HTML_CodeSniffer is a JavaScript application that checks a HTML document or source code, and detects violations of a defined presentation or accessibility standard, such as Section508 or WCAG2.1.
By default, HTML_CodeSniffer comes with standards that cover the three conformance levels of the W3C Web Content Accessibility Guidelines (WCAG) 2.1, and the U.S. Section 508 legislation. It also provides tools to write your own standards, which can be useful in situations where you wish to enforce consistency across a web site.
HTML_CodeSniffer can be called in multiple ways:
npm i --save html_codesniffer
The HTML_CodeSniffer auditor can be built using Node.js and Grunt task runner. It has been tested with the recent version of Node.js (starting from version 6.0) and Grunt.
sudo apt-get install nodejs
npm install -g npm
npm install -g grunt-cli
npm install
grunt build
You should see two new directories: node_modules
(containing the Node.js
dependencies), and build
(containing your auditor). You can then move
(or symlink as appropriate) your build
directory to a web-accessible
location.
Then grab or copy the JavaScript from the auditor bookmarklet from the HTML_CodeSniffer site, replace the directory at the start (//squizlabs.github.io/HTML_CodeSniffer/build) with your local URL, and save as a new bookmarklet.
If you are developing using HTML_CodeSniffer and require the code not minified for
debugging purposes, follow the above steps, but run grunt build-debug
(instead of just build). This will combine the files as normal, but not minify them.
Note: These examples assume a built version of HTMLCS exported to ./build/HTMLCS.js
You will need PhantomJS installed if you wish to use the contributed command-line script. PhantomJS provides a headless Webkit-based browser to run the scripts in, so it should provide results that are similar to recent (or slightly less than recent) versions of Safari.
See the Contrib/PhantomJS/HTMLCS_Run.js
file for more information.
Puppeteer offers an easy way to interact with the page via Google Chrome.
This example assumes that there is the latest version of Google Chrome installed,
hence only the puppeteer-core
will be needed:
npm i puppeteer-core
The test script assumes a recent version of Node.js to be available.
const puppeteer = require('puppeteer-core');
// Replace with the path to the chrome executable in your file system. This one assumes MacOSX.
const executablePath = '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome';
// Replace with the url you wish to test.
const url = 'https://www.squiz.net';
(async () => {
const browser = await puppeteer.launch({
executablePath
});
const page = await browser.newPage();
page.on('console', msg => {
console.log(msg.text())
});
await page.goto(url);
await page.addScriptTag({
path: 'build/HTMLCS.js'
});
await page.evaluate(function () {
HTMLCS_RUNNER.run('WCAG2AA');
});
await browser.close();
})();
HTML_CodeSniffer requires a DOM to run, however, it is possible to run it entirely server side without a headless browser using Node.js on arbitrary fragments of HTML using an environment wrapper like JSDom.
An example Node.js script:
var jsdom = require('jsdom');
var { JSDOM } = jsdom;
var fs = require('fs');
var HTMLCS = fs.readFileSync('./build/HTMLCS.js', 'utf-8');
var vConsole = new jsdom.VirtualConsole();
// Forward messages to the console.
vConsole.on('log', function(message) {
console.log(message)
});
var dom = new JSDOM('<img src="test.png" />', {
runScripts: "dangerously",
virtualConsole: vConsole
});
dom.window.eval(HTMLCS);
dom.window.HTMLCS_RUNNER.run('WCAG2AA');
HTML_CodeSniffer supports very basic string translations. The auditor will use the current language of the document it is being run in (e.g. <html lang="en">
). A language code can be supplied if you need to tell HTML_CodeSniffer which language you want to use.
Example usage:
HTMLCSAuditor.run('WCAG2AA', null, {
lang: 'pl'
});
Note: HTML_CodeSniffer only has English (default), French, and Polish languages.
If other language support is required a custom version can be built by adding more translations in Translations/*.js
and using the grunt build process described above.
To report any issues with using HTML_CodeSniffer, please use the HTML_CodeSniffer Issue Tracker.
Contributions to the HTML_CodeSniffer code base are also welcome: please create a fork of the main repository, then submit your modified code through a Pull Request for review. A Pull Request also automatically creates an issue in the Issue Tracker, so if you have code to contribute, you do not need to do both.
More information on HTML_CodeSniffer can be found on its GitHub site, http://squizlabs.github.io/HTML_CodeSniffer/. This site provides:
Special thanks to:
Licensed under the BSD 3-Clause "New" or "Revised" License.
License text also available in the license.txt
file.
FAQs
HTML_CodeSniffer is a client-side JavaScript that checks a HTML document or source code, and detects violations of a defined coding standard.
The npm package html_codesniffer receives a total of 124,116 weekly downloads. As such, html_codesniffer popularity was classified as popular.
We found that html_codesniffer demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 13 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.