You're Invited:Meet the Socket Team at RSAC and BSidesSF 2026, March 23–26.RSVP →
serialize-javascript
Advanced tools
serialize-javascript - npm Package Compare versions
+26
-2
@@ -18,2 +18,5 @@ /* | ||
| var UNSAFE_CHARS_REGEXP = /[<>\/\u2028\u2029]/g; | ||
| // Regex to match </script> and variations (case-insensitive) for XSS protection | ||
| // Matches </script followed by optional whitespace/attributes and > | ||
| var SCRIPT_CLOSE_REGEXP = /<\/script[^>]*>/gi; | ||
@@ -36,2 +39,17 @@ var RESERVED_SYMBOLS = ['*', 'async']; | ||
| // Escape function body for XSS protection while preserving arrow function syntax | ||
| function escapeFunctionBody(str) { | ||
| // Escape </script> sequences and variations (case-insensitive) - the main XSS risk | ||
| // Matches </script followed by optional whitespace/attributes and > | ||
| // This must be done first before other replacements | ||
| str = str.replace(SCRIPT_CLOSE_REGEXP, function(match) { | ||
| // Escape all <, /, and > characters in the closing script tag | ||
| return match.replace(/</g, '\\u003C').replace(/\//g, '\\u002F').replace(/>/g, '\\u003E'); | ||
| }); | ||
| // Escape line terminators (these are always unsafe) | ||
| str = str.replace(/\u2028/g, '\\u2028'); | ||
| str = str.replace(/\u2029/g, '\\u2029'); | ||
| return str; | ||
| } | ||
| function generateUID() { | ||
@@ -143,3 +161,3 @@ var bytes = crypto.getRandomValues(new Uint8Array(UID_LENGTH)); | ||
| function serializeFunc(fn) { | ||
| function serializeFunc(fn, options) { | ||
| var serializedFn = fn.toString(); | ||
@@ -150,2 +168,8 @@ if (IS_NATIVE_CODE_REGEXP.test(serializedFn)) { | ||
| // Escape unsafe HTML characters in function body for XSS protection | ||
| // This must preserve arrow function syntax (=>) while escaping </script> | ||
| if (options && options.unsafe !== true) { | ||
| serializedFn = escapeFunctionBody(serializedFn); | ||
| } | ||
| // pure functions, example: {key: function() {}} | ||
@@ -268,4 +292,4 @@ if(IS_PURE_FUNCTION.test(serializedFn)) { | ||
| return serializeFunc(fn); | ||
| return serializeFunc(fn, options); | ||
| }); | ||
| } |
+1
-1
| { | ||
| "name": "serialize-javascript", | ||
| "version": "7.0.0", | ||
| "version": "7.0.1", | ||
| "description": "Serialize JavaScript to a superset of JSON that includes regular expressions and functions.", | ||
@@ -5,0 +5,0 @@ "main": "index.js", |
+10
-4
@@ -7,3 +7,2 @@ Serialize JavaScript | ||
| [![npm Version][npm-badge]][npm] | ||
| [![Dependency Status][david-badge]][david] | ||
|  | ||
@@ -15,3 +14,3 @@ | ||
| You're probably wondering: **What about `JSON.stringify()`!?** We've found that sometimes we need to serialize JavaScript **functions**, **regexps**, **dates**, **sets** or **maps**. A great example is a web app that uses client-side URL routing where the route definitions are regexps that need to be shared from the server to the client. But this module is also great for communicating between node processes. | ||
| You're probably wondering: **What about `JSON.stringify()`!?** We've found that sometimes we need to serialize JavaScript **functions**, **regexps**, **dates**, **sets** or **maps**. A great example is a web app that uses client-side URL routing where the route definitions are regexps that need to be shared from the server to the client. | ||
@@ -24,2 +23,9 @@ The string returned from this package's single export function is literal JavaScript which can be saved to a `.js` file, or be embedded into an HTML document by making the content of a `<script>` element. | ||
| > [!WARNING] | ||
| > It may be tempting to use this package as a way to pass arbitrary functions into [worker threads][], since you cannot pass them directly via `postMessage()`. However, passing functions between worker threads is not possible in the general case. This package lets you serialize *some* functions, but it has limitations. | ||
| > | ||
| > For instance, if a function references something from outside the function body, it will not run properly if serialized and deserialized. This could include [closed-over variables][] or imports from other packages. For a serialized function to run properly, it must be entirely self-contained. | ||
| > | ||
| > In general, it is not possible to send arbitrary JavaScript to a worker thread, and pretend it's running the same way it would run on the main thread. This package doesn't let you do that. | ||
| ## Installation | ||
@@ -142,6 +148,6 @@ | ||
| [npm-badge]: https://img.shields.io/npm/v/serialize-javascript.svg?style=flat-square | ||
| [david]: https://david-dm.org/yahoo/serialize-javascript | ||
| [david-badge]: https://img.shields.io/david/yahoo/serialize-javascript.svg?style=flat-square | ||
| [express-state]: https://github.com/yahoo/express-state | ||
| [JSON.stringify]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/stringify | ||
| [LICENSE]: https://github.com/yahoo/serialize-javascript/blob/main/LICENSE | ||
| [worker threads]: https://nodejs.org/api/worker_threads.html | ||
| [closed-over variables]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Closures |
No alert changes
Improved metrics
- Total package byte prevSize
18733
11.57%- Lines of code
237
10.23%- Number of lines in readme file
150
4.17%No dependency changes