npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

anti

v0.1.7

Published

Anti is an XSS protection module.

Downloads

24

Readme

Anti

Anti is an Cross-site Scripting (XSS) protection module for the Browser & NodeJS. It uses DOMParser (or NodeJS equivalent XMLDom) rather than Regular expressions (RegEx) to process DOM just as a browser would. This makes Anti safe to many XSS workarounds by nature.

Installation

npm install anti

Usage

You can use Anti in a browser or in NodeJS, pass it an unsanitized string of DOM and get a sanitized string (or a DOM object) in return. Note that the returned String/DOMObject will be wrapped around a div with class="anti".

var XSSParser = new Anti();
var result = XSSParser.parse('<div class="hello world">!</div><script>alert("xss")</script>');
console.log(result);
// Output: <div class="anti"><div class="hello world">!</div></div>

> Browsers

Anti includes full support for browsers. It does not use Regular Expressions (RegEx) but rather the browser's internal method DOMParser. Support for this method is approximately 97% of all browsers (http://caniuse.com/#feat=xml-serializer) and provides superior security compared to innerHTML method. You can include anti.js or anti.min.js from the build folder like so:

...
<body>
...
<script src="build/anti.min.js"></script>
</body>

Or using Browserify

// Install (refer to installation)
var Anti = require('anti');
// Refer to Usage

Alternatively when using Bower

bower install anti
// Include bower_components/anti/build/anti.min.js

Filters

You can modify default filter lists that are extended to every instance of Anti. Filters are an array of lowercase strings that are compared for parsing. If an element tag is a part of the filter it will be kept in the final results. (e.g. script tag is not part of the ACCEPTABLE_BLOCK_ELEMENTS). Instance Filters are as follows:

  • ACCEPTABLE_BLOCK_ELEMENTS all acceptable DOM elements (e.g. div, table, nav, etc.)
  • ACCEPTABLE_SANITARY_ATTRIBUTES all acceptable DOM attributes which do not include a URL (e.g. title, height, align, etc.)
  • ACCEPTABLE_UNSANITARY_ATTRIBUTES all acceptable DOM attributes which include a URL (e.g. href, src, style, etc.)

As Filters are JS arrays you can modify them using Push, Pop, Shift, Unshift methods or you can modify them entirely to your liking:

var XSSParser = new Anti();
// Only allow div, span tags <div>, <span>
XSSParser.ACCEPTABLE_BLOCK_ELEMENTS = ['div', 'span'];

// Only allow title attribute <div title="test">
XSSParser.ACCEPTABLE_SANITARY_ATTRIBUTES = ['title'];
XSSParser.ACCEPTABLE_UNSANITARY_ATTRIBUTES = [];

var result = XSSParser.parse('<div title="test" style="display:none">Hello World!</div><section>This will be excluded</section>');
console.log(result);
// Output: <div class="anti"><div title="test">Hello World!</div></div>

Options

You can pass options while creating an Anti instance or by modifying the Options attribute in that specific instance. e.g.

// Forces Anti to return a DOM object instead of a serialized string, hence you will be able to directly append the output
var options = { serialize: false };

var XSSParser = new Anti(options);
// Alternatively XSSParses.Options.serialize = false
var result = XSSParser.parse('<div>test</div>');
console.log(result);
// Output: [object HTMLDivElement]

Options include:

  • serialize: Boolean(default: true) Returns a serialized/string DOM instead of a DOM Object
  • wrapper: String(default: "") A single wrapper element that wraps around the output
  • experimentalInlineCSS: Boolean(default: false) Allows for inline style parsing and filtering (!EXPERIMENTAL)

Experimental -> Inline CSS Parser

To use experimental feature you'll need to include either anti.experimental.js or anti.experimental.min.js from the build folder. Note that experimental features are available by default in the NodeJS version. Inline CSS feature brings in a built in CSS parser and Url Validator. This feature allows for filtering of inline CSS styles (e.g. style="font-size: 2px; color: red;"). You can enable this feature by passing { experimentalInlineCSS: true } options to the Anti constructor. Note that this method uses an internal parsing function with only one RegEx test to test for validity of url() values. The filter for this method is defined as ACCEPTABLE_CSS_PROPERTIES.

Disclaimer:

This module utilizes a doze of insanity and a drop of blood from the Black Witch of the North to bring joy to your divs and html elements without the hassle of unwanted magic spells and bacteria incorporated with your non-sanitary method of sanitization. Thus it is highly experimental to the extent that even this sentence is currently being tested in our non-existent laboratory which I will assure you is experimental itself. Use it at your own risk.

License

MIT © Schahriar SaffarShargh - Full License