Gathering detailed insights and metrics for xss-filters-es6
Gathering detailed insights and metrics for xss-filters-es6
Installations
npm install xss-filters-es6Developer Guide
BETA
Typescript
No
Module System
CommonJS
Node Version
8.5.0
NPM Version
5.3.0
Score
75.5
Supply Chain
99.5
Quality
75
Maintenance
100
Vulnerability
100
License
Releases
Unable to fetch releases
Languages
1
JavaScript
JavaScript (100%)
Developer
hua1995116
Download Statistics
Total Downloads
3,299
Last Day
3
Last Week
5
Last Month
24
Last Year
335
GitHub Statistics
NOASSERTION License
125 Commits
2 Watchers
7 Branches
1 Contributors
Updated on Jul 15, 2019
Bundle Size
6.09 kB
Minified
2.21 kB
Minified + Gzipped
Maintainers
1
Package Meta Information
Latest Version
1.0.0
Package Id
xss-filters-es6@1.0.0
Unpacked Size
299.61 kB
Size
52.89 kB
File Count
31
NPM Version
5.3.0
Node Version
8.5.0
Total Downloads
Cumulative downloads
Total Downloads
3,299
Last Day
0%
3
Compared to previous day
Last Week
150%
5
Compared to previous week
Last Month
-22.6%
24
Compared to previous month
Last Year
11.7%
335
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Secure XSS Filters
Just sufficient output filtering to prevent XSS!
Goals
-
More Secure. Context-dependent output filters that are developer-friendly. It is safe to apply these filters like so:
document.write("<a href=" + xssFilters.uriInUnQuotedAttr(url) + ">" + xssFilters.uriInHTMLData(url) + "</a>");In this example, the traditional wisdom of blindly escaping some special html entity characters (
&<>'"`) would not stop XSS (e.g., whenurlis equal tojavascript:alert(1)oronclick=alert(1)). -
Faster with Just Sufficient Encoding. Encode the minimal set of characters to thwart JavaScript executions, thus preventing XSS attacks while keeping most characters intact. Compared to the traditional blindly escape filter, our filters are up to two times faster, and there is no more double-encoding problems such as '&lt;'!!
Figure 1. "Just sufficient" encoding based on the HTML5 spec.
Design
- Automation. Nothing can be better than applying context-sensitive output escaping automatically. Integration with Handlebars template engine is now available. Check out express-secure-handlebars for server-side use, or secure-handlebars for client-side use.
- Standards Compliant. The XSS filters are designed primarily based on the modern HTML 5 Specification. The principle is to escape characters specific to each non-scriptable output context. Hence, untrusted inputs, once sanitized by context-sensitive escaping, cannot break out from the containing context. This approach stops malicious inputs from being executed as scripts, and also prevents the age-old problem of over/double-encoding.
- Carefully Designed. Every filter is heavily scrutinized by Yahoo Security Engineers. The specific sets of characters that require encoding are minimized to preserve usability to the greatest extent possible.
Quick Start
Server-side (nodejs)
Install the xss-filters npm, and include it as a dependency for your project.
1npm install xss-filters --save
Require xss-filters, and you may use it with your favorite template engine. Or just use it directly:
1var express = require('express'); 2var app = express(); 3var xssFilters = require('xss-filters'); 4 5app.get('/', function(req, res){ 6 var firstname = req.query.firstname; //an untrusted input collected from user 7 res.send('<h1> Hello, ' + xssFilters.inHTMLData(firstname) + '!</h1>'); 8}); 9 10app.listen(3000);
Client-side (browser)
Simply download the latest minified version from the dist/ folder OR from the CDN. Embed it in your HTML file, and all filters are available in a global object called xssFilters.
1<!doctype html><!-- You need HTML 5 mode for browser --> 2... 3<script src="dist/xss-filters.min.js"></script> 4<script> 5var firstname = "..."; //an untrusted input collected from user 6document.write('<h1> Hello, ' + xssFilters.inHTMLData(firstname) + '!</h1>') 7</script>
API Documentations
WARNINGS
(1) Filters MUST ONLY be applied to UTF-8-encoded documents.
(2) DON'T apply any filters inside any scriptable contexts, i.e., <script>, <style>, <object>, <embed>, and <svg> tags as well as style="" and onXXX="" (e.g., onclick) attributes. It is unsafe to permit untrusted input inside a scriptable context.
A workaround, if you need to include data for JS, is to use:
1<input id="strJS" value="{{{inDoubleQuotedAttr data}}}">
and retrieve your data with document.getElementById('strJS').value.
The API
There are five context-sensitive filters for generic input:
<div>{{{inHTMLData data}}}</div><!--{{{inHTMLComment comment}}}--><input value='{{{inSingleQuotedAttr value}}}'/><input value="{{{inDoubleQuotedAttr value}}}"/><input value={{{inUnQuotedAttr value}}}/>
Here we use {{{ }}} to indicate output expression to ease illustrations
Whenever possible, apply the most specific filter that describes your context and data:
| Input\Context | HTMLData | HTMLComment | SingleQuotedAttr | DoubleQuotedAttr | UnQuotedAttr |
|---|---|---|---|---|---|
| Full URI | uriInHTMLData() | uriInHTMLComment() | uriInSingleQuotedAttr() | uriInDoubleQuotedAttr() | uriInUnQuotedAttr() |
| URI Path | uriPathInHTMLData() | uriPathInHTMLComment() | uriPathInSingleQuotedAttr() | uriPathInDoubleQuotedAttr() | uriPathInUnQuotedAttr() |
| URI Query | uriQueryInHTMLData() | uriQueryInHTMLComment() | uriQueryInSingleQuotedAttr() | uriQueryInDoubleQuotedAttr() | uriQueryInUnQuotedAttr() |
| URI Component | uriComponentInHTMLData() | uriComponentInHTMLComment() | uriComponentInSingleQuotedAttr() | uriComponentInDoubleQuotedAttr() | uriComponentInUnQuotedAttr() |
| URI Fragment | uriFragmentInHTMLData() | uriFragmentInHTMLComment() | uriFragmentInSingleQuotedAttr() | uriFragmentInDoubleQuotedAttr() | uriFragmentInUnQuotedAttr() |
Check out the documentations for more details.
Contributing
To contribute, make changes in src/ and tests/, and then do:
1npm test # run the tests 2npm run-script build # build the minified version for client-side use 3npm run-script docs # build the docs
License
This software is free to use under the Yahoo BSD license. See the LICENSE file for license text and copyright information.
No vulnerabilities found.
Reason
no binaries found in the repo
Reason
0 existing vulnerabilities detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Warn: project license file does not contain an FSF or OSI license.
Reason
no SAST tool detected
Details
- Warn: no pull requests merged into dev branch
Reason
Found 0/30 approved changesets -- score normalized to 0
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'master'
Score
3
/10
Last Scanned on 2025-06-23
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More