secure-filters
Advanced tools
Comparing version 1.0.5 to 1.1.0
30
index.js
@@ -0,1 +1,31 @@ | ||
/*! | ||
* Copyright (c) 2014, Salesforce.com, Inc. | ||
* All rights reserved. | ||
* | ||
* Redistribution and use in source and binary forms, with or without | ||
* modification, are permitted provided that the following conditions are met: | ||
* | ||
* Redistributions of source code must retain the above copyright notice, | ||
* this list of conditions and the following disclaimer. | ||
* | ||
* Redistributions in binary form must reproduce the above copyright notice, | ||
* this list of conditions and the following disclaimer in the documentation | ||
* and/or other materials provided with the distribution. | ||
* | ||
* Neither the name of Salesforce.com, nor the names of its contributors may | ||
* be used to endorse or promote products derived from this software without | ||
* specific prior written permission. | ||
* | ||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | ||
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | ||
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE | ||
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | ||
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | ||
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | ||
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | ||
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | ||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | ||
* POSSIBILITY OF SUCH DAMAGE. | ||
*/ | ||
module.exports = require('./lib/secure-filters'); |
/*! | ||
* Copyright 2013 GoInstant Inc., a salesforce.com company | ||
* See LICENSE.txt for details. | ||
* Copyright (c) 2014, Salesforce.com, Inc. | ||
* All rights reserved. | ||
* | ||
* Redistribution and use in source and binary forms, with or without | ||
* modification, are permitted provided that the following conditions are met: | ||
* | ||
* Redistributions of source code must retain the above copyright notice, | ||
* this list of conditions and the following disclaimer. | ||
* | ||
* Redistributions in binary form must reproduce the above copyright notice, | ||
* this list of conditions and the following disclaimer in the documentation | ||
* and/or other materials provided with the distribution. | ||
* | ||
* Neither the name of Salesforce.com, nor the names of its contributors may | ||
* be used to endorse or promote products derived from this software without | ||
* specific prior written permission. | ||
* | ||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | ||
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | ||
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE | ||
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | ||
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | ||
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | ||
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | ||
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | ||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | ||
* POSSIBILITY OF SUCH DAMAGE. | ||
*/ | ||
@@ -205,2 +231,20 @@ (function(root) { | ||
/** | ||
* Encodes previously generated JSON ensuring unsafe characters in string | ||
* literals are backslash-escaped. | ||
* | ||
* See json(value) in README.md for full documentation. | ||
* | ||
* @name json | ||
* @param {string} val | ||
* @return {string} the backslash-encoded string | ||
*/ | ||
secureFilters.json = function(val) { | ||
var str = String(val); | ||
return str.replace(JSON_NOT_WHITELISTED, jsSlashEncoder) | ||
// prevent breaking out of CDATA context. Escaping < below is sufficient | ||
// to prevent opening a CDATA context. | ||
.replace(CDATA_CLOSE, '\\x5D\\x5D\\x3E'); | ||
}; | ||
/** | ||
* Encodes an object as JSON, but with unsafe characters in string literals | ||
@@ -216,7 +260,3 @@ * backslash-escaped. | ||
secureFilters.jsObj = function(val) { | ||
return JSON.stringify(val) | ||
.replace(JSON_NOT_WHITELISTED, jsSlashEncoder) | ||
// prevent breaking out of CDATA context. Escaping < below is sufficient | ||
// to prevent opening a CDATA context. | ||
.replace(CDATA_CLOSE, '\\x5D\\x5D\\x3E'); | ||
return secureFilters.json(JSON.stringify(val)); | ||
}; | ||
@@ -223,0 +263,0 @@ |
@@ -1,2 +0,2 @@ | ||
Copyright (c) 2013, GoInstant Inc., a salesforce.com company | ||
Copyright (c) 2014, Salesforce.com, Inc. | ||
All rights reserved. | ||
@@ -10,4 +10,4 @@ | ||
* Neither the name of salesforce.com, nor GoInstant, nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. | ||
* Neither the name of Salesforce.com, nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. | ||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
{ | ||
"name": "secure-filters", | ||
"version": "1.0.5", | ||
"version": "1.1.0", | ||
"description": "Anti-XSS filters for security", | ||
"main": "index.js", | ||
"scripts": { | ||
"test": "mocha test.js && mocha-phantomjs -R dot static/test.html", | ||
"blanket": { | ||
"pattern": "secure-filters.js" | ||
} | ||
"test": "`npm bin`/mocha test.js && `npm bin`/mocha-phantomjs -R dot static/test.html" | ||
}, | ||
"homepage": "http://goinstant.github.io/secure-filters/", | ||
"repository": "git@github.com:goinstant/secure-filters.git", | ||
"author": "GoInstant Inc., a salesforce.com company", | ||
"homepage": "http://salesforce.github.io/secure-filters/", | ||
"repository": "git@github.com:salesforce/secure-filters.git", | ||
"author": "Salesforce.com, Inc.", | ||
"license": "BSD-3-Clause", | ||
@@ -27,11 +24,7 @@ "engines": { | ||
"devDependencies": { | ||
"gi-assert": "git://github.com/goinstant/assert.git#v1.0.0", | ||
"mocha": "1.8.2", | ||
"mocha-phantomjs": "2.0.2", | ||
"lodash": "1.3.1", | ||
"component": "0.18.0", | ||
"coveralls": "2.3.0", | ||
"mocha-lcov-reporter": "0.0.1", | ||
"blanket": "1.1.5" | ||
"chai": "^1.9.2", | ||
"mocha": "^1.21.4", | ||
"mocha-phantomjs": "^4.1.0", | ||
"underscore": "^1.8.0" | ||
} | ||
} |
@@ -8,3 +8,3 @@ # secure-filters | ||
[![Build Status](https://travis-ci.org/goinstant/secure-filters.png?branch=master)](https://travis-ci.org/goinstant/secure-filters) | ||
[![Build Status](https://travis-ci.org/salesforce/secure-filters.png?branch=master)](https://travis-ci.org/salesforce/secure-filters) | ||
@@ -62,4 +62,4 @@ ![Data Flow Diagram](./images/secure-filters%20data%20flow.png) | ||
[many](https://owasp.org/index.php/Data_Validation) | ||
[important](https://goinstant.com/blog/the-importance-of-proper-input-validation-for-security) | ||
[rules](https://owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet) to follow. | ||
[important](https://owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet) | ||
rules to follow. | ||
@@ -319,5 +319,5 @@ [This Stack-Overflow | ||
### jsObj(value) | ||
### json(value) | ||
Sanitizes output for a JavaScript literal in an HTML script context. | ||
Sanitizes output for a JSON string in an HTML script context. | ||
@@ -330,5 +330,4 @@ ```html | ||
This function encodes the object with `JSON.stringify()`, then | ||
escapes certain characters. Any character not matched by | ||
`/[",\-\.0-9:A-Z\[\\\]_a-z{}]/` is escaped consistent with the | ||
This function escapes certain characters within a JSON string. Any character | ||
not matched by `/[",\-\.0-9:A-Z\[\\\]_a-z{}]/` is escaped consistent with the | ||
[`js(value)`](#jsvalue) escaping above. Additionally, the sub-string `]]>` is | ||
@@ -341,2 +340,24 @@ encoded as `\x5D\x5D\x3E` to prevent breaking out of CDATA context. | ||
For example, with a JSON string like `'{"username":"Albert </script><script>alert(\"Pwnerton\")"}'`, | ||
`json()` gives output: | ||
```html | ||
<script> | ||
var config = {"username":"\x3C\x2Fscript\x3E\x3Cscript\x3Ealert\x28\"Pwnerton\"\x29"}; | ||
</script> | ||
``` | ||
### jsObj(value) | ||
Sanitizes output for a JavaScript literal in an HTML script context. | ||
```html | ||
<script> | ||
var config = USERINPUT; | ||
</script> | ||
``` | ||
This function encodes the object with `JSON.stringify()`, then | ||
escapes using `json()` detailed above. | ||
For example, with a literal object like `{username:'Albert | ||
@@ -456,57 +477,36 @@ </script><script>alert("Pwnerton")'}`, `jsObj()` gives output: | ||
If you'd like to contribute to or modify secure-filters, here's a quick guide | ||
to get you started. | ||
Please see the [Contribution Guide](./contributing.md). | ||
## Development Dependencies | ||
# Support | ||
- [node.js](http://nodejs.org) >= 0.10 | ||
Support is provided via [github issues](https://github.com/salesforce/secure-filters/issues). | ||
## Set-Up | ||
For responsible disclosures, email [Salesforce Security](mailto:security@salesforce.com). | ||
Download via GitHub and install npm dependencies: | ||
# Changelog | ||
```sh | ||
git clone git@github.com:goinstant/secure-filters.git | ||
cd secure-filters | ||
#### 1.1.0 | ||
npm install | ||
``` | ||
This release changes the behavior of secure-filters, but should be | ||
backwards-compatible with 1.0.5. | ||
## Testing | ||
- The `js`, `jsObj` and `jsAttr` filter now use a strict allow-list for | ||
characters in strings. This is safer, but does increase the size of these | ||
strings slightly. Compliant JSON and JavaScript parsers will not be affected | ||
negatively by this change. | ||
- The example for `jsAttr` was incorrect. It previously stated that `<ha>, | ||
'ha', "ha"` was escaped to `<ha>, \'ha\', \"ha\"` | ||
Testing is with the [mocha](https://github.com/visionmedia/mocha) framework. | ||
Tests are located in the `tests/` directory. | ||
#### 1.0.5 | ||
The unit tests are run twice: once under node.js and once under | ||
[PhantomJS](http://phantomjs.org/). PhantomJS test files are located in the | ||
`static/` directory. | ||
- Vastly improved documentation and illustrations | ||
To run the tests: | ||
#### 1.0.4 | ||
```sh | ||
npm test | ||
``` | ||
- Initial public release | ||
## Publishing | ||
1. `npm version patch` (increments `x` in `z.y.x`, then makes a commit for package.json, tags that commit) | ||
2. `git push --tags origin master` | ||
3. `npm publish` | ||
Go to https://npmjs.org/package/secure-filters and verify it published (can take several minutes) | ||
# Support | ||
Email [GoInstant Support](mailto:support@goinstant.com) or stop by [#goinstant on freenode](irc://irc.freenode.net#goinstant). | ||
For responsible disclosures, email [GoInstant Security](mailto:security@goinstant.com). | ||
To [file a bug](https://github.com/goinstant/secure-filters/issues) or | ||
[propose a patch](https://github.com/goinstant/secure-filters/pulls), | ||
please use github directly. | ||
# Legal | ||
© 2013 GoInstant Inc., a salesforce.com company | ||
© 2014 salesforce.com | ||
Licensed under the BSD 3-clause license. |
34
test.js
/*! | ||
* Copyright 2013 GoInstant Inc., a salesforce.com company | ||
* See LICENSE.txt for details. | ||
* Copyright (c) 2014, Salesforce.com, Inc. | ||
* All rights reserved. | ||
* | ||
* Redistribution and use in source and binary forms, with or without | ||
* modification, are permitted provided that the following conditions are met: | ||
* | ||
* Redistributions of source code must retain the above copyright notice, | ||
* this list of conditions and the following disclaimer. | ||
* | ||
* Redistributions in binary form must reproduce the above copyright notice, | ||
* this list of conditions and the following disclaimer in the documentation | ||
* and/or other materials provided with the distribution. | ||
* | ||
* Neither the name of Salesforce.com, nor the names of its contributors may | ||
* be used to endorse or promote products derived from this software without | ||
* specific prior written permission. | ||
* | ||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | ||
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | ||
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE | ||
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | ||
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | ||
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | ||
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | ||
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | ||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | ||
* POSSIBILITY OF SUCH DAMAGE. | ||
*/ | ||
@@ -13,5 +39,5 @@ (function(root) { | ||
if (typeof module !== 'undefined' && module.exports) { | ||
assert = require('gi-assert'); | ||
assert = require('assert'); | ||
secureFilters = require('./index'); | ||
_ = require('lodash'); | ||
_ = require('underscore'); | ||
} else { | ||
@@ -18,0 +44,0 @@ assert = root.assert; |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
Shell access
Supply chain riskThis module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.
Found 1 instance in 1 package
Uses eval
Supply chain riskPackage uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.
Found 2 instances in 1 package
Debug access
Supply chain riskUses debug, reflection and dynamic code execution features.
Found 1 instance in 1 package
Dynamic require
Supply chain riskDynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.
Found 1 instance in 1 package
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 2 instances in 1 package
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
Minified code
QualityThis package contains minified code. This may be harmless in some cases where minified code is included in packaged libraries, however packages on npm should not minify code.
Found 1 instance in 1 package
Mixed license
License(Experimental) Package contains multiple licenses.
Found 1 instance in 1 package
No website
QualityPackage does not have a website.
Found 1 instance in 1 package
4
0
0
0
2
49764
13
662