secure-filters
Advanced tools
Comparing version 1.0.4 to 1.0.5
@@ -190,2 +190,5 @@ /*! | ||
| // encodeURIComponent also won't encode ".-_", but those are known-safe. | ||
| // | ||
| // IE does not always encode '"' to '%27': | ||
| // http://blog.imperva.com/2012/01/ie-bug-exposes-its-users-to-xss-attacks-.html | ||
| var encode = encodeURIComponent(String(val)); | ||
@@ -192,0 +195,0 @@ return encode |
| { | ||
| "name": "secure-filters", | ||
| "version": "1.0.4", | ||
| "version": "1.0.5", | ||
| "description": "Anti-XSS filters for security", | ||
@@ -5,0 +5,0 @@ "main": "index.js", |
| # secure-filters | ||
| `secure-filters` is a collection of sanitization functions ("filters") to | ||
| provide protection against [Cross-Site Scripting (XSS)](https://owasp.org/index.php/Cross-site_Scripting_%28XSS%29) | ||
| and other injection attacks. | ||
| `secure-filters` is a collection of Output Sanitization functions ("filters") | ||
| to provide protection against [Cross-Site Scripting | ||
| (XSS)](https://owasp.org/index.php/Cross-site_Scripting_%28XSS%29) and other | ||
| injection attacks. | ||
| [](https://travis-ci.org/goinstant/secure-filters) | ||
| Table of select contents: | ||
|  | ||
| ### Table of select contents | ||
| - [About XSS](#about-xss) | ||
@@ -38,13 +41,19 @@ - [Usage](#usage) | ||
| To effectively combat XSS, you must combine input validation with output | ||
| sanitization. **Using one or the other is not sufficient; you must apply | ||
| both!** This module aims to provide only output sanitization since there are | ||
| plenty of JavaScript modules out there to do the validation part. | ||
| To effectively combat XSS, you must combine Input Validation with Output | ||
| Sanitization. **Using one or the other is not sufficient; you must apply | ||
| both!** Also, simple validations like string length aren't as effective; it's | ||
| much safer to use _whitelist-based validation_. | ||
| Whichever input validation and output sanitization modules you end up using, | ||
| please review the code carefully and apply your own professional paranoia. | ||
| Trust, but verify. | ||
| The generally accepted flow in preventing XSS looks like this: | ||
|  | ||
| Whichever Input Validation and Output Sanitization modules you end up | ||
| using, please review the code carefully and apply your own professional | ||
| paranoia. Trust, but verify. | ||
| ### Input Validation | ||
| `secure-filters` doesn't deal with Input Validation, only Ouput Sanitization. | ||
| You can roll your own input validation or you can use an existing module. | ||
@@ -60,16 +69,42 @@ Either way, there are | ||
| One of those options is node-validator ([NPM](https://npmjs.org/package/validator), | ||
| [github](https://github.com/chriso/node-validator)). | ||
| It provides an impressive list of chainable validators. In addition to | ||
| validation, it gives a set of handy [sanitization | ||
| filters](https://github.com/chriso/node-validator#list-of-sanitization--filter-methods). | ||
| Validator has an `xss()` filter function that can strip-out certain _common_ XSS | ||
| attack-strings. But, _use caution_: XSS attacks can be so highly obfuscated that | ||
| they may be able to [bypass Validator's detection | ||
| algorithm](https://nealpoole.com/blog/2013/07/xss-filter-bypass-in-validator-nodejs-module/). | ||
| Validator also has a 3rd party | ||
| One of those options is node-validator | ||
| ([NPM](https://npmjs.org/package/validator), | ||
| [github](https://github.com/chriso/node-validator)). It provides an impressive | ||
| list of chainable validators. Validator also has a 3rd party | ||
| [express-validate](https://github.com/Dream-Web/express-validate) middleware | ||
| module for use in the popular [Express](http://expressjs.com/) node.js server. | ||
| Input Validation can be specialized to the data format. For example, the | ||
| jsonschema module ([NPM](https://npmjs.org/package/jsonschema), | ||
| [github](https://github.com/tdegrunt/jsonschema)) can be useful for providing | ||
| strict validation of JSON documents (e.g. bodies in HTTP). | ||
| ### Output Sanitization | ||
| Output Sanitization (also known as Ouput Filtering) is what `secure-filters` is | ||
| responsible for. | ||
| In order to properly santize output you need to be sensitive to the _context_ | ||
| in which the data is being output. For example, if you want to place text in an | ||
| HTML document, you should HTML-escape the text. | ||
| But what about CSS or JavaScript contexts? You can't use the HTML-escape | ||
| filter; a different escaping method is necessary. If the filter doesn't match | ||
| the context, it's possible for browsers to misinterpret the result, which can | ||
| lead to XSS attacks! | ||
| `secure-filters` aims to provide the filter functions necessary to do this type | ||
| of context-sensitive sanitization. | ||
| ### Hybrid Sanitization | ||
| "Sanitization" is an overloaded term and can be confused with other security | ||
| techniques. | ||
| For example, if you need to store and sanitize HTML, you'd want to parse, | ||
| validate and sanitize that HTML in one hybridized step. There are tools like | ||
| [Google Caja](http://code.google.com/p/google-caja/) to do HTML sanitization. | ||
| The [`sanitizer` module](https://github.com/theSmaw/Caja-HTML-Sanitizer) | ||
| packages-up Caja for node.js/CommonJS usage. | ||
| # Usage | ||
@@ -91,2 +126,6 @@ | ||
| ## General Usage | ||
| [](./images/secure-filters%20cheat%20sheet.png) | ||
| ## With EJS | ||
@@ -113,2 +152,4 @@ | ||
| There's a handy [cheat sheet](./cheatsheet.md) showing all the filters in EJS syntax. | ||
| ### Alternative EJS uses. | ||
@@ -372,3 +413,3 @@ | ||
| context, it is still somewhat risky to allow user-controlled input into CSS and | ||
| `<style>` blocks. Be sure to combine CSS escaping with whitelist-based input | ||
| `<style>` blocks. Be sure to combine CSS escaping with _whitelist-based_ input | ||
| sanitization! Here's a small sampling of what's possible: | ||
@@ -406,3 +447,3 @@ | ||
| context, it is still somewhat risky to allow user-controlled input (see caveats | ||
| on [css](#cssvalue) above). Be sure to combine with whitelist-based input | ||
| on [css](#cssvalue) above). Be sure to combine with _whitelist-based_ input | ||
| sanitization! | ||
@@ -409,0 +450,0 @@ |
Sorry, the diff of this file is not supported yet
No alert changes
Improved metrics
- Total package byte prevSize
- increased by8.83%
1376414
- Number of package files
- increased by9.59%
240
- Lines of code
- increased by4.17%
25115
- Number of lines in readme file
- increased by8.8%
507
Worsened metrics
- Number of low supply chain risk alerts
- increased by2.44%
42
No dependency changes