@ordojs/security

/** * Escape special HTML characters to prevent XSS attacks in template interpolations */ /** * Map of characters that need to be escaped in HTML */ const HTML_ESCAPE_MAP: Record<string, string> = { '&': '&', '<': '<', '>': '>', '"': '"', "'": ''', '/': '/', '`': '`', '=': '=', }; /** * Regular expression to match characters that need to be escaped */ const HTML_ESCAPE_REGEX = /[&<>"'`=\/]/g; /** * Escape HTML special characters to prevent XSS attacks * @param value String value to escape * @returns Escaped HTML string */ export function escapeHtml(value: string): string { return String(value).replace(HTML_ESCAPE_REGEX, (char) => HTML_ESCAPE_MAP[char] || char); } /** * Options for the template escaper */ export interface TemplateEscaperOptions { /** * Whether to escape all interpolated values by default * @default true */ escapeByDefault: boolean; /** * Whether to allow raw HTML through the raw tag function * @default false */ allowRawHtml: boolean; } /** * Template escaper for automatic HTML escaping in template interpolations */ export class TemplateEscaper { private options: TemplateEscaperOptions; /** * Create a new TemplateEscaper instance * @param options Template escaper options */ constructor(options: Partial<TemplateEscaperOptions> = {}) { this.options = { escapeByDefault: true, allowRawHtml: false, ...options, }; } /** * Escape a value for safe HTML interpolation * @param value Value to escape * @returns Escaped value */ escape(value: unknown): string { if (value === null || value === undefined) { return ''; } if (typeof value === 'object') { return escapeHtml(JSON.stringify(value)); } return escapeHtml(String(value)); } /** * Create a tagged template function that automatically escapes interpolated values * @returns Tagged template function */ createEscapedTemplate(): (strings: TemplateStringsArray, ...values: unknown[]) => string { return (strings: TemplateStringsArray, ...values: unknown[]): string => { let result = ''; for (let i = 0; i < strings.length; i++) { result += strings[i]; if (i < values.length) { result += this.escape(values[i]); } } return result; }; } /** * Create a tagged template function that allows raw HTML (use with caution) * @returns Tagged template function for raw HTML * @throws Error if raw HTML is not allowed in options */ createRawTemplate(): (strings: TemplateStringsArray, ...values: unknown[]) => string { if (!this.options.allowRawHtml) { throw new Error('Raw HTML templates are not allowed. Set allowRawHtml: true in options to enable.'); } return (strings: TemplateStringsArray, ...values: unknown[]): string => { let result = ''; for (let i = 0; i < strings.length; i++) { result += strings[i]; if (i < values.length) { result += String(values[i]); } } return result; }; } } /** * Default template escaper instance */ export const defaultTemplateEscaper = new TemplateEscaper(); /** * Tagged template function that automatically escapes interpolated values * @example html\`<div>\${userInput}</div>\` // userInput is automatically escaped */ export const html = defaultTemplateEscaper.createEscapedTemplate(); /** * Create a raw HTML tagged template (use with caution) * Must be explicitly enabled by setting allowRawHtml: true */ export function createRawHtmlTemplate(): (strings: TemplateStringsArray, ...values: unknown[]) => string { const escaper = new TemplateEscaper({ allowRawHtml: true }); return escaper.createRawTemplate(); }