ProductPromotion
Logo

Java.Script

made by https://0x3d.site

GitHub - YahooArchive/xss-filters: Secure XSS Filters.
Secure XSS Filters. Contribute to YahooArchive/xss-filters development by creating an account on GitHub.
Visit Site

GitHub - YahooArchive/xss-filters: Secure XSS Filters.

GitHub - YahooArchive/xss-filters: Secure XSS Filters.

Secure XSS Filters

Just sufficient output filtering to prevent XSS!

npm version dependency status Build Status

Goals

  • More Secure. Context-dependent output filters that are developer-friendly. It is safe to apply these filters like so:

    document.write("<a href=" + xssFilters.uriInUnQuotedAttr(url) + ">" + xssFilters.uriInHTMLData(url) + "</a>");

    In this example, the traditional wisdom of blindly escaping some special html entity characters (& < > ' " `) would not stop XSS (e.g., when url is equal to javascript:alert(1) or onclick=alert(1)).

  • Faster with Just Sufficient Encoding. Encode the minimal set of characters to thwart JavaScript executions, thus preventing XSS attacks while keeping most characters intact. Compared to the traditional blindly escape filter, our filters are up to two times faster, and there is no more double-encoding problems such as '&amp;lt;'!!

    alt Visualizing the concept of just sufficient encoding Figure 1. "Just sufficient" encoding based on the HTML5 spec.

Design

  • Automation. Nothing can be better than applying context-sensitive output escaping automatically. Integration with Handlebars template engine is now available. Check out express-secure-handlebars for server-side use, or secure-handlebars for client-side use.
  • Standards Compliant. The XSS filters are designed primarily based on the modern HTML 5 Specification. The principle is to escape characters specific to each non-scriptable output context. Hence, untrusted inputs, once sanitized by context-sensitive escaping, cannot break out from the containing context. This approach stops malicious inputs from being executed as scripts, and also prevents the age-old problem of over/double-encoding.
  • Carefully Designed. Every filter is heavily scrutinized by Yahoo Security Engineers. The specific sets of characters that require encoding are minimized to preserve usability to the greatest extent possible.

Quick Start

Server-side (nodejs)

Install the xss-filters npm, and include it as a dependency for your project.

npm install xss-filters --save

Require xss-filters, and you may use it with your favorite template engine. Or just use it directly:

var express = require('express');
var app = express();
var xssFilters = require('xss-filters');

app.get('/', function(req, res){
  var firstname = req.query.firstname; //an untrusted input collected from user
  res.send('<h1> Hello, ' + xssFilters.inHTMLData(firstname) + '!</h1>');
});

app.listen(3000);

Client-side (browser)

Simply download the latest minified version from the dist/ folder OR from the CDN. Embed it in your HTML file, and all filters are available in a global object called xssFilters.

<!doctype html><!-- You need HTML 5 mode for browser -->
...
<script src="dist/xss-filters.min.js"></script>
<script>
var firstname = "..."; //an untrusted input collected from user
document.write('<h1> Hello, ' + xssFilters.inHTMLData(firstname) + '!</h1>')
</script>

API Documentations

WARNINGS

(1) Filters MUST ONLY be applied to UTF-8-encoded documents.

(2) DON'T apply any filters inside any scriptable contexts, i.e., <script>, <style>, <object>, <embed>, and <svg> tags as well as style="" and onXXX="" (e.g., onclick) attributes. It is unsafe to permit untrusted input inside a scriptable context.

A workaround, if you need to include data for JS, is to use:

<input id="strJS" value="{{{inDoubleQuotedAttr data}}}">

and retrieve your data with document.getElementById('strJS').value.

The API

There are five context-sensitive filters for generic input:

  • <div> {{{inHTMLData data}}} </div>
  • <!-- {{{inHTMLComment comment}}} -->
  • <input value=' {{{inSingleQuotedAttr value}}} '/>
  • <input value=" {{{inDoubleQuotedAttr value}}} "/>
  • <input value= {{{inUnQuotedAttr value}}} />

Here we use {{{ }}} to indicate output expression to ease illustrations

Whenever possible, apply the most specific filter that describes your context and data:

Input\Context HTMLData HTMLComment SingleQuotedAttr DoubleQuotedAttr UnQuotedAttr
Full URI uriInHTMLData() uriInHTMLComment() uriInSingleQuotedAttr() uriInDoubleQuotedAttr() uriInUnQuotedAttr()
URI Path uriPathInHTMLData() uriPathInHTMLComment() uriPathInSingleQuotedAttr() uriPathInDoubleQuotedAttr() uriPathInUnQuotedAttr()
URI Query uriQueryInHTMLData() uriQueryInHTMLComment() uriQueryInSingleQuotedAttr() uriQueryInDoubleQuotedAttr() uriQueryInUnQuotedAttr()
URI Component uriComponentInHTMLData() uriComponentInHTMLComment() uriComponentInSingleQuotedAttr() uriComponentInDoubleQuotedAttr() uriComponentInUnQuotedAttr()
URI Fragment uriFragmentInHTMLData() uriFragmentInHTMLComment() uriFragmentInSingleQuotedAttr() uriFragmentInDoubleQuotedAttr() uriFragmentInUnQuotedAttr()

Check out the documentations for more details.

Contributing

To contribute, make changes in src/ and tests/, and then do:

npm test              # run the tests
npm run-script build  # build the minified version for client-side use
npm run-script docs   # build the docs

License

This software is free to use under the Yahoo BSD license. See the LICENSE file for license text and copyright information.

More Resources
to explore the angular.

mail [email protected] to add your project or resources here 🔥.

Related Articles
to learn about angular.

FAQ's
to learn more about Angular JS.

mail [email protected] to add more queries here 🔍.

More Sites
to check out once you're finished browsing here.

0x3d
https://www.0x3d.site/
0x3d is designed for aggregating information.
NodeJS
https://nodejs.0x3d.site/
NodeJS Online Directory
Cross Platform
https://cross-platform.0x3d.site/
Cross Platform Online Directory
Open Source
https://open-source.0x3d.site/
Open Source Online Directory
Analytics
https://analytics.0x3d.site/
Analytics Online Directory
JavaScript
https://javascript.0x3d.site/
JavaScript Online Directory
GoLang
https://golang.0x3d.site/
GoLang Online Directory
Python
https://python.0x3d.site/
Python Online Directory
Swift
https://swift.0x3d.site/
Swift Online Directory
Rust
https://rust.0x3d.site/
Rust Online Directory
Scala
https://scala.0x3d.site/
Scala Online Directory
Ruby
https://ruby.0x3d.site/
Ruby Online Directory
Clojure
https://clojure.0x3d.site/
Clojure Online Directory
Elixir
https://elixir.0x3d.site/
Elixir Online Directory
Elm
https://elm.0x3d.site/
Elm Online Directory
Lua
https://lua.0x3d.site/
Lua Online Directory
C Programming
https://c-programming.0x3d.site/
C Programming Online Directory
C++ Programming
https://cpp-programming.0x3d.site/
C++ Programming Online Directory
R Programming
https://r-programming.0x3d.site/
R Programming Online Directory
Perl
https://perl.0x3d.site/
Perl Online Directory
Java
https://java.0x3d.site/
Java Online Directory
Kotlin
https://kotlin.0x3d.site/
Kotlin Online Directory
PHP
https://php.0x3d.site/
PHP Online Directory
React JS
https://react.0x3d.site/
React JS Online Directory
Angular
https://angular.0x3d.site/
Angular JS Online Directory