UNPKG

tl-shared-security

Version:

Enterprise-grade security module for frontend and backend applications with comprehensive protection against XSS, CSRF, SQL injection, and other security vulnerabilities

117 lines • 3.95 kB

JavaScript

"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.xssSanitizer = exports.sanitizeUrl = exports.sanitizeRecursive = exports.sanitizeInput = exports.XssSanitizer = void 0; const tslib_1 = require("tslib"); // shared-security/frontend/xssSanitizer.ts const xss_1 = require("xss"); const dompurify_1 = tslib_1.__importDefault(require("dompurify")); class XssSanitizer { constructor(options) { this.options = { whiteList: { b: [], i: [], strong: [], em: [], p: [], br: [], span: ['class'], div: ['class'], a: ['href', 'target', 'rel'], ul: [], ol: [], li: [], h1: [], h2: [], h3: [], h4: [], h5: [], h6: [], }, stripIgnoreTag: true, stripIgnoreTagBody: ['script', 'style', 'iframe', 'object', 'embed'], css: false, ...options, }; this.xssFilter = new xss_1.FilterXSS(this.options); } /** * Sanitizes a string input against XSS attacks * @param input - String to sanitize * @returns Sanitized string */ sanitize(input) { if (!input) return ''; // Use DOMPurify as an additional layer if specified if (this.options.useDOMPurify && typeof window !== 'undefined') { input = dompurify_1.default.sanitize(input, this.options.domPurifyConfig); } return this.xssFilter.process(input); } /** * Sanitizes an object or array recursively * @param data - Object or array to sanitize * @returns Sanitized object or array */ sanitizeRecursive(data) { if (!data) return data; if (typeof data === 'string') { return this.sanitize(data); } if (Array.isArray(data)) { return data.map(item => this.sanitizeRecursive(item)); } if (typeof data === 'object') { const result = {}; for (const key in data) { if (Object.prototype.hasOwnProperty.call(data, key)) { result[key] = this.sanitizeRecursive(data[key]); } } return result; } return data; } /** * Sanitizes HTML attributes to prevent JavaScript execution * @param html - HTML string to sanitize * @returns Sanitized HTML string */ sanitizeHtmlAttributes(html) { if (!html) return ''; // Remove event handlers (on*) return html.replace(/\son\w+\s*=\s*(["'])(?:javascript:)?.*?\1/gi, ''); } /** * Sanitizes a URL to prevent JavaScript execution * @param url - URL to sanitize * @returns Sanitized URL */ sanitizeUrl(url) { if (!url) return ''; // Check for javascript: protocol const sanitized = url.replace(/^javascript:/i, ''); // If the URL was changed, it was malicious, so return empty if (sanitized !== url) { return ''; } return url; } } exports.XssSanitizer = XssSanitizer; // Create default instance with standard configuration const defaultSanitizer = new XssSanitizer(); // Export convenience functions using the default sanitizer const sanitizeInput = (input) => defaultSanitizer.sanitize(input); exports.sanitizeInput = sanitizeInput; const sanitizeRecursive = (data) => defaultSanitizer.sanitizeRecursive(data); exports.sanitizeRecursive = sanitizeRecursive; const sanitizeUrl = (url) => defaultSanitizer.sanitizeUrl(url); exports.sanitizeUrl = sanitizeUrl; // Export the default instance exports.xssSanitizer = defaultSanitizer; //# sourceMappingURL=xssSanitizer.js.map