npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

js-sanitizer

v1.0.15

Published

Sanitize JavaScript code provided as string. This is a JavaScript sanitizer and not an HTML sanitizer! Prevents any JavaScript code written as a string to access global variables (in Nodejs, and from `window` in browser).

Downloads

235

Readme

js-sanitizer

Sanitize JavaScript code provided as string. This is a JavaScript sanitizer and not an HTML sanitizer! Prevents any JavaScript code written as a string to access global variables (in Nodejs, and from window in browser).

Motivation

Using eval() or the newer new Function() is a known security risk and it is generally a bad idea to use them.

However, there are some use cases where one is forced to use them.

This library is written for the sole purpose of reducing the security risks associated with running a function from a string. This is done by trying to sanitize the string, in this case, preventing access to any global/ window variable inside the string. Under the hood this library forces the function in a scope where the global/ window variables are undefined.

⚠️ DISCLAIMER: ⚠️ I do not claim this library to be 100% safe (or even close), use at your own risk.

Installation

npm add js-sanitizer
// or
yarn add js-sanitizer

Usage

TypeScript:

import { sanitize } from 'js-sanitizer';

const data = 'test';
const myFn = sanitize('(x) => x');
console.log({ ran: myFn(data) });

JavaScript:

const { sanitize } = require('js-sanitizer');

const data = 'test';
const myFn = sanitize('(x) => x');
console.log({ ran: myFn(data) });

Options

The sanitizer may take some options:

interface SanitizerOptions {
   /*
      allow the user to use specific functions/classes.
      Note: a property added in both this and the expandBanList option will be allowed;
      e.g sanitize(fn, {allow: ['JSON']}) will allow the user to use JSON functions (e.g JSON.stringify)
   */
   allow: string[]; 
   /*
      Set true if you need to prevent usage of window properties
   */
   sanitizeWindowProperties: boolean; 
   /*
      causes an error if a specific js keyword is present in the string
   */
   preventKeyWord: KeywordType[]; 
   /*
      causes an error if any string here is present in the string to be sanitized
   */
   preventString: string[]; 
   /*
      expand the current ban list to add other functions/classes which should not be accessible
      it is generally a good idea to add all the global variables you defined here
   */
   expandBanList: string[]; 
   /*
      does a console.error instead of throwing the error
      Note: displays error only from preventKeyword or preventString and not from the function being sanitized.
   */
   failSilently: boolean; 
}