secure-filters - npm Package Compare versions

Comparing version 1.0.5 to 1.1.0

index.js

@@ -0,1 +1,31 @@
+/*!
+ * Copyright (c) 2014, Salesforce.com, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *   Redistributions of source code must retain the above copyright notice,
+ *   this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above copyright notice,
+ *   this list of conditions and the following disclaimer in the documentation
+ *   and/or other materials provided with the distribution.
+ *
+ *   Neither the name of Salesforce.com, nor the names of its contributors may
+ *   be used to endorse or promote products derived from this software without
+ *   specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
 module.exports = require('./lib/secure-filters');

lib/secure-filters.js

 /*!
- * Copyright 2013 GoInstant Inc., a salesforce.com company
- * See LICENSE.txt for details.
+ * Copyright (c) 2014, Salesforce.com, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *   Redistributions of source code must retain the above copyright notice,
+ *   this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above copyright notice,
+ *   this list of conditions and the following disclaimer in the documentation
+ *   and/or other materials provided with the distribution.
+ *
+ *   Neither the name of Salesforce.com, nor the names of its contributors may
+ *   be used to endorse or promote products derived from this software without
+ *   specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
@@ -205,2 +231,20 @@ (function(root) {
 /**
+ * Encodes previously generated JSON ensuring unsafe characters in string
+ * literals are backslash-escaped.
+ *
+ * See json(value) in README.md for full documentation.
+ *
+ * @name json
+ * @param {string} val
+ * @return {string} the backslash-encoded string
+ */
+secureFilters.json = function(val) {
+    var str = String(val);
+    return str.replace(JSON_NOT_WHITELISTED, jsSlashEncoder)
+    // prevent breaking out of CDATA context.  Escaping < below is sufficient
+    // to prevent opening a CDATA context.
+    .replace(CDATA_CLOSE, '\\x5D\\x5D\\x3E');
+};
+
+/**
  * Encodes an object as JSON, but with unsafe characters in string literals
@@ -216,7 +260,3 @@ * backslash-escaped.
 secureFilters.jsObj = function(val) {
-  return JSON.stringify(val)
-    .replace(JSON_NOT_WHITELISTED, jsSlashEncoder)
-    // prevent breaking out of CDATA context.  Escaping < below is sufficient
-    // to prevent opening a CDATA context.
-    .replace(CDATA_CLOSE, '\\x5D\\x5D\\x3E');
+  return secureFilters.json(JSON.stringify(val));
 };
@@ -223,0 +263,0 @@

LICENSE.txt

@@ -1,2 +0,2 @@
-Copyright (c) 2013, GoInstant Inc., a salesforce.com company
+Copyright (c) 2014, Salesforce.com, Inc.
 All rights reserved.
@@ -10,4 +10,4 @@
 
-* Neither the name of salesforce.com, nor GoInstant, nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
+* Neither the name of Salesforce.com, nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
 
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

package.json

 {
   "name": "secure-filters",
-  "version": "1.0.5",
+  "version": "1.1.0",
   "description": "Anti-XSS filters for security",
   "main": "index.js",
   "scripts": {
-    "test": "mocha test.js && mocha-phantomjs -R dot static/test.html",
-    "blanket": {
-      "pattern": "secure-filters.js"
-    }
+    "test": "`npm bin`/mocha test.js && `npm bin`/mocha-phantomjs -R dot static/test.html"
   },
-  "homepage": "http://goinstant.github.io/secure-filters/",
-  "repository": "git@github.com:goinstant/secure-filters.git",
-  "author": "GoInstant Inc., a salesforce.com company",
+  "homepage": "http://salesforce.github.io/secure-filters/",
+  "repository": "git@github.com:salesforce/secure-filters.git",
+  "author": "Salesforce.com, Inc.",
   "license": "BSD-3-Clause",
@@ -27,11 +24,7 @@ "engines": {
   "devDependencies": {
-    "gi-assert": "git://github.com/goinstant/assert.git#v1.0.0",
-    "mocha": "1.8.2",
-    "mocha-phantomjs": "2.0.2",
-    "lodash": "1.3.1",
-    "component": "0.18.0",
-    "coveralls": "2.3.0",
-    "mocha-lcov-reporter": "0.0.1",
-    "blanket": "1.1.5"
+    "chai": "^1.9.2",
+    "mocha": "^1.21.4",
+    "mocha-phantomjs": "^4.1.0",
+    "underscore": "^1.8.0"
   }
 }

README.md

@@ -8,3 +8,3 @@ # secure-filters
 
-[![Build Status](https://travis-ci.org/goinstant/secure-filters.png?branch=master)](https://travis-ci.org/goinstant/secure-filters)
+[![Build Status](https://travis-ci.org/salesforce/secure-filters.png?branch=master)](https://travis-ci.org/salesforce/secure-filters)
 
@@ -62,4 +62,4 @@ ![Data Flow Diagram](./images/secure-filters%20data%20flow.png)
 [many](https://owasp.org/index.php/Data_Validation)
-[important](https://goinstant.com/blog/the-importance-of-proper-input-validation-for-security)
-[rules](https://owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet) to follow.
+[important](https://owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet)
+rules to follow.
 
@@ -319,5 +319,5 @@ [This Stack-Overflow
 
-### jsObj(value)
+### json(value)
 
-Sanitizes output for a JavaScript literal in an HTML script context.
+Sanitizes output for a JSON string in an HTML script context.
 
@@ -330,5 +330,4 @@ ```html
 
-This function encodes the object with `JSON.stringify()`, then
-escapes certain characters.  Any character not matched by
-`/[",\-\.0-9:A-Z\[\\\]_a-z{}]/` is escaped consistent with the
+This function escapes certain characters within a JSON string.  Any character
+not matched by `/[",\-\.0-9:A-Z\[\\\]_a-z{}]/` is escaped consistent with the
 [`js(value)`](#jsvalue) escaping above. Additionally, the sub-string `]]>` is
@@ -341,2 +340,24 @@ encoded as `\x5D\x5D\x3E` to prevent breaking out of CDATA context.
 
+For example, with a JSON string like `'{"username":"Albert </script><script>alert(\"Pwnerton\")"}'`,
+`json()` gives output:
+
+```html
+  <script>
+    var config = {"username":"\x3C\x2Fscript\x3E\x3Cscript\x3Ealert\x28\"Pwnerton\"\x29"};
+  </script>
+```
+
+### jsObj(value)
+
+Sanitizes output for a JavaScript literal in an HTML script context.
+
+```html
+  <script>
+    var config = USERINPUT;
+  </script>
+```
+
+This function encodes the object with `JSON.stringify()`, then
+escapes using `json()` detailed above.
+
 For example, with a literal object like `{username:'Albert
@@ -456,57 +477,36 @@ </script><script>alert("Pwnerton")'}`, `jsObj()` gives output:
 
-If you'd like to contribute to or modify secure-filters, here's a quick guide
-to get you started.
+Please see the [Contribution Guide](./contributing.md).
 
-## Development Dependencies
+# Support
 
-- [node.js](http://nodejs.org) >= 0.10
+Support is provided via [github issues](https://github.com/salesforce/secure-filters/issues).
 
-## Set-Up
+For responsible disclosures, email [Salesforce Security](mailto:security@salesforce.com).
 
-Download via GitHub and install npm dependencies:
+# Changelog
 
-```sh
-git clone git@github.com:goinstant/secure-filters.git
-cd secure-filters
+#### 1.1.0
 
-npm install
-```
+This release changes the behavior of secure-filters, but should be
+backwards-compatible with 1.0.5.
 
-## Testing
+- The `js`, `jsObj` and `jsAttr` filter now use a strict allow-list for
+  characters in strings.  This is safer, but does increase the size of these
+  strings slightly.  Compliant JSON and JavaScript parsers will not be affected
+  negatively by this change.
+- The example for `jsAttr` was incorrect.  It previously stated that `<ha>,
+  'ha', "ha"` was escaped to `&lt;ha&gt;, \&#39;ha\&#39;, \&quot;ha\&quot;`
 
-Testing is with the [mocha](https://github.com/visionmedia/mocha) framework.
-Tests are located in the `tests/` directory.
+#### 1.0.5
 
-The unit tests are run twice: once under node.js and once under
-[PhantomJS](http://phantomjs.org/). PhantomJS test files are located in the
-`static/` directory.
+- Vastly improved documentation and illustrations
 
-To run the tests:
+#### 1.0.4
 
-```sh
-npm test
-```
+- Initial public release
 
-## Publishing
-
-1. `npm version patch` (increments `x` in `z.y.x`, then makes a commit for package.json, tags that commit)
-2. `git push --tags origin master`
-3. `npm publish`
-
-Go to https://npmjs.org/package/secure-filters and verify it published (can take several minutes)
-
-# Support
-
-Email [GoInstant Support](mailto:support@goinstant.com) or stop by [#goinstant on freenode](irc://irc.freenode.net#goinstant).
-
-For responsible disclosures, email [GoInstant Security](mailto:security@goinstant.com).
-
-To [file a bug](https://github.com/goinstant/secure-filters/issues) or
-[propose a patch](https://github.com/goinstant/secure-filters/pulls),
-please use github directly.
-
 # Legal
 
-&copy; 2013 GoInstant Inc., a salesforce.com company
+&copy; 2014 salesforce.com
 
 Licensed under the BSD 3-clause license.

test.js

 /*!
- * Copyright 2013 GoInstant Inc., a salesforce.com company
- * See LICENSE.txt for details.
+ * Copyright (c) 2014, Salesforce.com, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *   Redistributions of source code must retain the above copyright notice,
+ *   this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above copyright notice,
+ *   this list of conditions and the following disclaimer in the documentation
+ *   and/or other materials provided with the distribution.
+ *
+ *   Neither the name of Salesforce.com, nor the names of its contributors may
+ *   be used to endorse or promote products derived from this software without
+ *   specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
@@ -13,5 +39,5 @@ (function(root) {
 if (typeof module !== 'undefined' && module.exports) {
-  assert = require('gi-assert');
+  assert = require('assert');
   secureFilters = require('./index');
-  _ = require('lodash');
+  _ = require('underscore');
 } else {
@@ -18,0 +44,0 @@ assert = root.assert;

New alerts

Major refactor

Supply chain risk

Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.

Found 1 instance in 1 package

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Fixed alerts

Shell access

Supply chain risk

This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.

Found 1 instance in 1 package

Uses eval

Supply chain risk

Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Found 2 instances in 1 package

Debug access

Supply chain risk

Uses debug, reflection and dynamic code execution features.

Found 1 instance in 1 package

Dynamic require

Supply chain risk

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Found 1 instance in 1 package

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 2 instances in 1 package

Filesystem access

Supply chain risk

Accesses the file system, and could potentially read sensitive data.

Found 1 instance in 1 package

Minified code

Quality

This package contains minified code. This may be harmless in some cases where minified code is included in packaged libraries, however packages on npm should not minify code.

Found 1 instance in 1 package

Mixed license

License

(Experimental) Package contains multiple licenses.

Found 1 instance in 1 package

No website

Quality

Package does not have a website.

Found 1 instance in 1 package

Improved metrics

Dev dependency count

4

decreased by-50%

Number of low license alerts

0

decreased by-100%

Number of low quality alerts

0

decreased by-100%

Number of low supply chain risk alerts

0

decreased by-100%

Number of medium supply chain risk alerts

2

decreased by-77.78%

Worsened metrics

Total package byte prevSize

49764

decreased by-96.38%

Number of package files

13

decreased by-94.58%

Lines of code

662

decreased by-97.36%

No dependency changes