UNPKG

@ordojs/security

Version:

Security package for OrdoJS with XSS, CSRF, and injection protection

113 lines 3.4 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
/** * Escape special HTML characters to prevent XSS attacks in template interpolations */ /** * Map of characters that need to be escaped in HTML */ const HTML_ESCAPE_MAP = { '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#39;', '/': '&#x2F;', '`': '&#x60;', '=': '&#x3D;', }; /** * Regular expression to match characters that need to be escaped */ const HTML_ESCAPE_REGEX = /[&<>"'`=\/]/g; /** * Escape HTML special characters to prevent XSS attacks * @param value String value to escape * @returns Escaped HTML string */ export function escapeHtml(value) { return String(value).replace(HTML_ESCAPE_REGEX, (char) => HTML_ESCAPE_MAP[char] || char); } /** * Template escaper for automatic HTML escaping in template interpolations */ export class TemplateEscaper { options; /** * Create a new TemplateEscaper instance * @param options Template escaper options */ constructor(options = {}) { this.options = { escapeByDefault: true, allowRawHtml: false, ...options, }; } /** * Escape a value for safe HTML interpolation * @param value Value to escape * @returns Escaped value */ escape(value) { if (value === null || value === undefined) { return ''; } if (typeof value === 'object') { return escapeHtml(JSON.stringify(value)); } return escapeHtml(String(value)); } /** * Create a tagged template function that automatically escapes interpolated values * @returns Tagged template function */ createEscapedTemplate() { return (strings, ...values) => { let result = ''; for (let i = 0; i < strings.length; i++) { result += strings[i]; if (i < values.length) { result += this.escape(values[i]); } } return result; }; } /** * Create a tagged template function that allows raw HTML (use with caution) * @returns Tagged template function for raw HTML * @throws Error if raw HTML is not allowed in options */ createRawTemplate() { if (!this.options.allowRawHtml) { throw new Error('Raw HTML templates are not allowed. Set allowRawHtml: true in options to enable.'); } return (strings, ...values) => { let result = ''; for (let i = 0; i < strings.length; i++) { result += strings[i]; if (i < values.length) { result += String(values[i]); } } return result; }; } } /** * Default template escaper instance */ export const defaultTemplateEscaper = new TemplateEscaper(); /** * Tagged template function that automatically escapes interpolated values * @example html\`<div>\${userInput}</div>\` // userInput is automatically escaped */ export const html = defaultTemplateEscaper.createEscapedTemplate(); /** * Create a raw HTML tagged template (use with caution) * Must be explicitly enabled by setting allowRawHtml: true */ export function createRawHtmlTemplate() { const escaper = new TemplateEscaper({ allowRawHtml: true }); return escaper.createRawTemplate(); } //# sourceMappingURL=template-escaper.js.map