UNPKG

@juspay/neurolink

Version:

Universal AI Development Platform with working MCP integration, multi-provider support, voice (TTS/STT/realtime), and professional CLI. 58+ external MCP servers discoverable, multimodal file processing, RAG pipelines. Build, test, and deploy AI applicatio

github.com/juspay/neurolink

juspay/neurolink

326 lines (325 loc) 9.58 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
/** * HTML/XSS Sanitization Utilities * Context-aware output escaping following OWASP guidelines * * This module provides: * - HTML entity escaping for safe display * - JavaScript string escaping for embedding in scripts * - URL escaping for query parameters * - JSON string sanitization * * Pure TypeScript implementation with no external dependencies. * * @see https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html */ /** * Escape HTML special characters for safe insertion into HTML context. * Use this when you need to display user text as plain text (not HTML). * * OWASP Rule 1: HTML Encode Before Inserting Untrusted Data into HTML Element Content * * @param text - Raw text to escape * @returns HTML-escaped text safe for insertion into HTML * * @example * const userName = '<script>alert(1)</script>'; * const safe = escapeHtml(userName); * // Returns: '&lt;script&gt;alert(1)&lt;/script&gt;' * * @example * // Safe to use in HTML * const html = `<div>${escapeHtml(userInput)}</div>`; */ export function escapeHtml(text) { if (!text || typeof text !== "string") { return ""; } return text .replace(/&/g, "&amp;") .replace(/</g, "&lt;") .replace(/>/g, "&gt;") .replace(/"/g, "&quot;") .replace(/'/g, "&#x27;") .replace(/\//g, "&#x2F;"); } /** * Unescape HTML entities back to their original characters. * Use with caution - only on trusted content. * * @param text - HTML-escaped text * @returns Unescaped text * * @example * const escaped = '&lt;div&gt;Hello&lt;/div&gt;'; * const original = unescapeHtml(escaped); * // Returns: '<div>Hello</div>' */ export function unescapeHtml(text) { if (!text || typeof text !== "string") { return ""; } return text .replace(/&#x2F;/g, "/") .replace(/&#x27;/g, "'") .replace(/&quot;/g, '"') .replace(/&gt;/g, ">") .replace(/&lt;/g, "<") .replace(/&amp;/g, "&"); } /** * Escape text for safe insertion into JavaScript string literals. * Use when embedding user data in inline JavaScript. * * OWASP Rule 3: JavaScript Encode Before Inserting Untrusted Data into JavaScript Data Values * * @param text - Raw text to escape * @returns JavaScript-escaped text safe for string literals * * @example * const userInput = "Hello\nWorld"; * const safe = escapeJavaScript(userInput); * // Returns: 'Hello\\nWorld' * * @example * // Safe to use in inline script * const script = `const name = '${escapeJavaScript(userName)}';`; */ export function escapeJavaScript(text) { if (!text || typeof text !== "string") { return ""; } return text .replace(/\\/g, "\\\\") .replace(/'/g, "\\'") .replace(/"/g, '\\"') .replace(/\n/g, "\\n") .replace(/\r/g, "\\r") .replace(/\t/g, "\\t") .replace(/[\b]/g, "\\b") // Backspace (using character class) .replace(/\f/g, "\\f") // Form feed .replace(/</g, "\\x3C") // Prevent </script> injection .replace(/>/g, "\\x3E") .replace(/&/g, "\\x26"); } /** * Escape text for safe insertion into URLs. * Use for query parameter values. * * OWASP Rule 5: URL Encode Before Inserting Untrusted Data into URL Parameter Values * * @param text - Raw text to escape * @returns URL-encoded text safe for query parameters * * @example * const query = 'hello world&foo=bar'; * const safe = escapeUrl(query); * // Returns: 'hello%20world%26foo%3Dbar' * * @example * // Safe to use in URL * const url = `https://example.com/search?q=${escapeUrl(userQuery)}`; */ export function escapeUrl(text) { if (!text || typeof text !== "string") { return ""; } return encodeURIComponent(text); } /** * Decode URL-encoded text. * * @param text - URL-encoded text * @returns Decoded text * * @example * const encoded = 'hello%20world'; * const decoded = decodeUrl(encoded); * // Returns: 'hello world' */ export function decodeUrl(text) { if (!text || typeof text !== "string") { return ""; } try { return decodeURIComponent(text); } catch { // Return original if decoding fails (malformed input) return text; } } /** * Sanitize JSON string value to prevent injection attacks. * Ensures string can be safely used in JSON without breaking structure. * * @param value - Raw string value * @returns Escaped string safe for JSON values * * @example * const userInput = 'Hello\n"World"'; * const safe = sanitizeJsonString(userInput); * // Returns: 'Hello\\n\\"World\\"' */ export function sanitizeJsonString(value) { if (!value || typeof value !== "string") { return ""; } return value .replace(/\\/g, "\\\\") .replace(/"/g, '\\"') .replace(/\n/g, "\\n") .replace(/\r/g, "\\r") .replace(/\t/g, "\\t") .replace(/[\b]/g, "\\b") .replace(/\f/g, "\\f"); } /** * Escape text for safe insertion into CSS context. * Use when embedding user data in style attributes or stylesheets. * * OWASP Rule 4: CSS Encode And Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values * * @param text - Raw text to escape * @returns CSS-escaped text * * @example * const userColor = 'red; background: url(evil.com)'; * const safe = escapeCss(userColor); * // Escapes dangerous characters */ export function escapeCss(text) { if (!text || typeof text !== "string") { return ""; } // Escape characters that could break out of CSS context or inject malicious CSS return text .replace(/\\/g, "\\5c ") .replace(/"/g, "\\22 ") .replace(/'/g, "\\27 ") .replace(/</g, "\\3c ") .replace(/>/g, "\\3e ") .replace(/&/g, "\\26 ") .replace(/\(/g, "\\28 ") .replace(/\)/g, "\\29 ") .replace(/;/g, "\\3b ") .replace(/:/g, "\\3a ") .replace(/{/g, "\\7b ") .replace(/}/g, "\\7d "); } /** * Strip all HTML tags from content, leaving only text. * Useful for extracting plain text from HTML. * * @param html - HTML content * @returns Plain text with all tags removed * * @example * const html = '<p>Hello <b>World</b></p>'; * const text = stripHtmlTags(html); * // Returns: 'Hello World' */ export function stripHtmlTags(html) { if (!html || typeof html !== "string") { return ""; } // Strip all HTML tags iteratively until the string is stable. // The loop handles nested tag fragments that reform after inner tags are removed, // e.g. "<scr<script>ipt>" becomes "<script>" after the first pass. // Using a single generic regex avoids fragile paired-tag matching // (e.g. <script>...</script>) which CodeQL flags for incomplete sanitization. let sanitized = html; let previous; do { previous = sanitized; sanitized = sanitized.replace(/<[^>]*>/g, ""); } while (sanitized !== previous); return sanitized .replace(/\s+/g, " ") // Normalize whitespace .trim(); } /** * Escape text for safe use in XML/XHTML context. * Similar to HTML escaping but uses XML numeric entities. * * @param text - Raw text to escape * @returns XML-escaped text */ export function escapeXml(text) { if (!text || typeof text !== "string") { return ""; } return text .replace(/&/g, "&amp;") .replace(/</g, "&lt;") .replace(/>/g, "&gt;") .replace(/"/g, "&quot;") .replace(/'/g, "&apos;"); } /** * Sanitize content for safe inclusion in HTML attributes. * More aggressive than escapeHtml - also handles newlines and tabs. * * @param value - Attribute value to sanitize * @returns Sanitized attribute value * * @example * const attr = 'value" onclick="alert(1)'; * const safe = sanitizeHtmlAttribute(attr); * // Returns: 'value&quot; onclick=&quot;alert(1)' */ export function sanitizeHtmlAttribute(value) { if (!value || typeof value !== "string") { return ""; } return value .replace(/&/g, "&amp;") .replace(/"/g, "&quot;") .replace(/'/g, "&#x27;") .replace(/</g, "&lt;") .replace(/>/g, "&gt;") .replace(/\n/g, "&#10;") .replace(/\r/g, "&#13;") .replace(/\t/g, "&#9;"); } /** * Check if a string contains potentially dangerous HTML content. * Does NOT sanitize - use other functions for that. * * @param text - Text to check * @returns true if text contains dangerous patterns * * @example * containsDangerousHtml('<script>alert(1)</script>'); // true * containsDangerousHtml('Hello World'); // false */ export function containsDangerousHtml(text) { if (!text || typeof text !== "string") { return false; } const lowerText = text.toLowerCase(); // Check for script tags if (/<script/i.test(text)) { return true; } // Check for event handlers if (/\bon[a-z]+\s*=/i.test(text)) { return true; } // Check for javascript: URLs if (lowerText.includes("javascript:")) { return true; } // Check for data: URLs (potentially dangerous) if (lowerText.includes("data:text/html")) { return true; } // Check for CSS expressions if (lowerText.includes("expression(") || lowerText.includes("-moz-binding")) { return true; } // Check for iframe/object/embed if (/<(iframe|object|embed)/i.test(text)) { return true; } return false; }