safevalues
Advanced tools
Safevalues is a library to help you prevent Cross-Site Scripting vulnerabilities in TypeScript (and JavaScript). It is meant to be used together with tsec to provide strong security guarantees and help you deploy Trusted Types and other CSP restrictions in your applications. Google has used these components together to reduce DOM XSS (paper), and we hope it will be useful in your codebase.
Trusted Types is a browser API that enables developers to control the values that can be assigned to XSS sinks. Developers need to define a Trusted Type policy to build these values, and then the Trusted Type API constrains these policies.
The Trusted Types API is not opinionated on what should be considered safe. It only acts as a tool for developers to mark values they can trust.
safevalues in contrast, defines functions that make security decisions on what
is safe (by construction, via escaping or sanitization), so that developers who
are not security experts don't need to.
safevalues produces Trusted Types (through its own policy) when available.
Some DOM APIs are not covered by Trusted Types, but can also be abused; leading
to XSS or other security issues. Alternative security mechanisms such as the
unsafe-inline CSP protection can help to secure these APIs, but not all
browsers or apps support them.
safevalues defines additional types, builders, and setters to help protect
these sinks.
To build a Trusted Type-compatible app and surface potential violations at
compile time, we recommend that you compile your code with
tsec. tsec bans certain DOM APIs.
safevalues defines wrappers around these APIs which lets you assign Trusted
Types with them.
Some wrappers don't require a particular type, but sanitize the argument they
get before they assign it to the DOM sink (e.g. safeLocation.setHref).
Whenever possible, safevalues uses Trusted Types to build its values, in order
to benefit from the runtime protection of Trusted Types. When Trusted Types is
not available, safevalues transparently defines its own types and your app
will continue to work.
When using a bundler that performs dead-code elimination, you must ensure that
process.env.NODE_ENV is declared globally with either a value of development
or production. This is done in Webpack by
specifying a mode,
in Terser using the
--define flag and
in Rollup using the
rollup-plugin-define plugin.
See (#212).
Read on about for more information on our APIs.
This is not an officially supported Google product.
FAQs
Safe builders for Trusted Types values
The npm package safevalues receives a total of 334,004 weekly downloads. As such, safevalues popularity was classified as popular.
We found that safevalues demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Socket's threat research team has detected five malicious npm packages targeting Roblox developers, deploying malware to steal credentials and personal data.
Security News
vlt introduced its new package manager and a serverless registry this week, innovating in a space where npm has stagnated.
Security News
Research
The Socket Research Team uncovered a malicious Python package typosquatting the popular 'fabric' SSH library, silently exfiltrating AWS credentials from unsuspecting developers.
