[Pkg-javascript-commits] [node-security] 01/10: Imported Upstream version 1.0.0~git20130515

Mike Gabriel sunweaver at debian.org
Thu Dec 15 10:22:46 UTC 2016 

This is an automated email from the git hooks/post-receive script.

sunweaver pushed a commit to branch master
in repository node-security.

commit 58b0f71a87dc189b2815942cef57aad82df95784
Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
Date:   Wed May 15 08:01:02 2013 +0200

    Imported Upstream version 1.0.0~git20130515
---
 README.md    | 56 +++++++++++++++++++++++++++++++++++
 index.js     | 95 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 package.json | 16 ++++++++++
 test/test.js | 44 ++++++++++++++++++++++++++++
 4 files changed, 211 insertions(+)

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..275819d
--- /dev/null
+++ b/README.md
@@ -0,0 +1,56 @@
+# js-security #
+
+Encoding and decoding methods c/o OWASP
+
+## Interface ##
+### HTML ###
+`escapeHTML`, `escapeHTMLAttribute`
+
+```
+// A hyperlink.
+markup = '<a href="'+ escapeHTMLAttribute(url) +'"' + '>' + escapeHTML(url) + '</a>'
+```
+
+### JAVASCRIPT ###
+`encodeJavaScriptIdentifier`, `encodeJavaScriptString`, `encodeJavaScriptData`
+
+```
+// A JSON response.
+content = encodeJavaScriptIdentifier(req.params[callback]) + '(' + encodeJavaScriptData(req.params) + ')'
+```
+
+### CSS ###
+`encodeCSSIdentifier`, `encodeCSSString`
+
+```
+// A CSS selector
+$elements = $('.' + encodeCSSIdentifier(theClass) + [title=' + encodeCSSString(theTitle) + ']')
+```
+
+```
+// A CSS declaration
+$element.css('background-image', 'url(' + encodeCSSString(theUrl) + ')')
+```
+
+## License ##
+Released under the MIT license.
+
+    Copyright (c) 2011 Chad Weider
+
+    Permission is hereby granted, free of charge, to any person obtaining a
+    copy of this software and associated documentation files (the "Software"),
+    to deal in the Software without restriction, including without limitation
+    the rights to use, copy, modify, merge, publish, distribute, sublicense,
+    and/or sell copies of the Software, and to permit persons to whom the
+    Software is furnished to do so, subject to the following conditions:
+
+    The above copyright notice and this permission notice shall be included in
+    all copies or substantial portions of the Software.
+
+    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+    THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+    FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+    DEALINGS IN THE SOFTWARE.
diff --git a/index.js b/index.js
new file mode 100644
index 0000000..678d6b9
--- /dev/null
+++ b/index.js
@@ -0,0 +1,95 @@
+/*!
+
+  Copyright (c) 2011 Chad Weider
+
+  Permission is hereby granted, free of charge, to any person obtaining a copy
+  of this software and associated documentation files (the "Software"), to deal
+  in the Software without restriction, including without limitation the rights
+  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+  copies of the Software, and to permit persons to whom the Software is
+  furnished to do so, subject to the following conditions:
+
+  The above copyright notice and this permission notice shall be included in
+  all copies or substantial portions of the Software.
+
+  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+  SOFTWARE.
+
+*/
+
+var HTML_ENTITY_MAP = {
+  '&': '&'
+, '<': '<'
+, '>': '>'
+, '"': '"'
+, "'": '&#x27;'
+, '/': '&#x2F;'
+};
+
+// OSWASP Guidlines: &, <, >, ", ' plus forward slash.
+var HTML_CHARACTERS_EXPRESSION = /[&"'<>\/]/gm;
+function escapeHTML(text) {
+  return text && text.replace(HTML_CHARACTERS_EXPRESSION, function (c) {
+    return HTML_ENTITY_MAP[c] || c;
+  });
+}
+
+// OSWASP Guidlines: escape all non alphanumeric characters in ASCII space.
+var HTML_ATTRIBUTE_CHARACTERS_EXPRESSION =
+    /[\x00-\x2F\x3A-\x40\x5B-\x60\x7B-\xFF]/gm;
+function escapeHTMLAttribute(text) {
+  return text && text.replace(HTML_ATTRIBUTE_CHARACTERS_EXPRESSION, function (c) {
+    return HTML_ENTITY_MAP[c] || "&#x" + ('00' + c.charCodeAt(0).toString(16)).slice(-2) + ";";
+  });
+};
+
+// OSWASP Guidlines: escape all non alphanumeric characters in ASCII space.
+// Also include line breaks (for literal).
+var JAVASCRIPT_CHARACTERS_EXPRESSION =
+    /[\x00-\x2F\x3A-\x40\x5B-\x60\x7B-\xFF\u2028\u2029]/gm;
+function encodeJavaScriptIdentifier(text) {
+  return text && text.replace(JAVASCRIPT_CHARACTERS_EXPRESSION, function (c) {
+    return "\\u" + ('0000' + c.charCodeAt(0).toString(16)).slice(-4);
+  });
+}
+function encodeJavaScriptString(text) {
+  return text && '"' + encodeJavaScriptIdentifier(text) + '"';
+}
+
+// This is not great, but it is useful.
+var JSON_STRING_LITERAL_EXPRESSION =
+    /"(?:\\.|[^"])*"/gm;
+function encodeJavaScriptData(object) {
+  return JSON.stringify(object).replace(JSON_STRING_LITERAL_EXPRESSION, function (string) {
+    return encodeJavaScriptString(JSON.parse(string));
+  });
+}
+
+
+// OSWASP Guidlines: escape all non alphanumeric characters in ASCII space.
+var CSS_CHARACTERS_EXPRESSION =
+    /[\x00-\x2F\x3A-\x40\x5B-\x60\x7B-\xFF]/gm;
+function encodeCSSIdentifier(text) {
+  return text && text.replace(CSS_CHARACTERS_EXPRESSION, function (c) {
+    return "\\" + ('000000' + c.charCodeAt(0).toString(16)).slice(-6);
+  });
+}
+
+function encodeCSSString(text) {
+  return text && '"' + encodeCSSIdentifier(text) + '"';
+}
+
+exports.escapeHTML = escapeHTML;
+exports.escapeHTMLAttribute = escapeHTMLAttribute;
+
+exports.encodeJavaScriptIdentifier = encodeJavaScriptIdentifier;
+exports.encodeJavaScriptString = encodeJavaScriptString;
+exports.encodeJavaScriptData = encodeJavaScriptData;
+
+exports.encodeCSSIdentifier = encodeCSSIdentifier;
+exports.encodeCSSString = encodeCSSString;
diff --git a/package.json b/package.json
new file mode 100644
index 0000000..9eea944
--- /dev/null
+++ b/package.json
@@ -0,0 +1,16 @@
+{
+  "name": "security"
+, "description": "Utility methods for escaping according to OWASP."
+, "keywords": ["security", "OWASP", "encoding", "escaping"]
+, "author": {
+		"name": "Chad Weider"
+	, "email": "cweider at oofn.net"
+	, "url": "http://oofn.net"
+  }
+, "dependencies": {}
+, "version": "1.0.0"
+, "repository": {
+    "type": "git"
+	, "url": "git://github.com/cweider/js-security"
+  }
+}
diff --git a/test/test.js b/test/test.js
new file mode 100644
index 0000000..6d33d03
--- /dev/null
+++ b/test/test.js
@@ -0,0 +1,44 @@
+var Security = require('../');
+var assert = require('assert');
+
+describe("escapeHTML", function () {
+  it('should work', function () {
+    assert.equal(Security.escapeHTML("&<>\"'/"), "&<>"&#x27;&#x2F;");
+  });
+  it('should double encode', function () {
+    assert.equal(Security.escapeHTML("&"), "&amp;");
+  });
+});
+
+describe("escapeHTMLAttribute", function () {
+  it('should work', function () {
+    assert.equal(Security.escapeHTMLAttribute("\n\t\""), "&#x0a;&#x09;"");
+    assert.equal(Security.escapeHTMLAttribute(
+      "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789")
+    , "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789");
+  });
+});
+
+describe("encodeJavaScriptString", function () {
+  it('should work', function () {
+    assert.equal(Security.encodeJavaScriptString("\n\t\"\u2028\u2029"), "\"\\u000a\\u0009\\u0022\\u2028\\u2029\"");
+    assert.equal(Security.encodeJavaScriptString(
+      "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789")
+    , "\"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789\"");
+  });
+});
+
+describe("encodeJavaScriptData", function () {
+  it('should work', function () {
+    assert.equal(Security.encodeJavaScriptData({"Funny\nKey": ["Funny\nValue"]}), "{\"Funny\\u000aKey\":[\"Funny\\u000aValue\"]}");
+  });
+});
+
+describe("encodeCSSString", function () {
+  it('should work', function () {
+    assert.equal(Security.encodeCSSString("\n\t\""), "\"\\00000a\\000009\\000022\"");
+    assert.equal(Security.encodeCSSString(
+      "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789")
+    , "\"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789\"");
+  });
+});

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-javascript/node-security.git

More information about the Pkg-javascript-commits mailing list