UNPKG

xss-safe-display

Version:

A TypeScript library for safe display and sanitization to prevent XSS attacks.

github.com/MindaugasBaltrunas/xss-safe-display

MindaugasBaltrunas/xss-safe-display

109 lines (107 loc) 3.24 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
var __defProp = Object.defineProperty; var __name = (target, value) => __defProp(target, "name", { value, configurable: true }); // src/xssGuard.ts import DOMPurify from "dompurify"; var sanitizeString = /* @__PURE__ */ __name((value) => { if (!value) return ""; try { return DOMPurify.sanitize(value, { ALLOWED_TAGS: [], ALLOWED_ATTR: [] }); } catch (error) { console.error("XSS sanitize error:", error); return value.replace(/<[^>]*>/g, ""); } }, "sanitizeString"); var sanitizeHTML = /* @__PURE__ */ __name((html, allowedTags = ["b", "i", "u", "p", "span", "br"]) => { if (!html) return ""; try { return DOMPurify.sanitize(html, { ALLOWED_TAGS: allowedTags, ALLOWED_ATTR: ["class", "style"] }); } catch (error) { console.error("HTML sanitize error:", error); return sanitizeString(html); } }, "sanitizeHTML"); var sanitizeObject = /* @__PURE__ */ __name((obj) => { if (!obj || typeof obj !== "object") return obj; if (Array.isArray(obj)) { return obj.map((item) => { if (typeof item === "string") { if (/<script\b[^>]*>(.*?)<\/script>/gi.test(item)) { return ""; } return item.replace(/<[^>]*>/g, ""); } if (item && typeof item === "object") { return sanitizeObject(item); } return item; }); } return Object.fromEntries( Object.entries(obj).map(([key, value]) => { if (typeof value === "string") { if (/<script\b[^>]*>(.*?)<\/script>/gi.test(value)) { return [key, ""]; } return [key, value.replace(/<[^>]*>/g, "")]; } if (value && typeof value === "object") { return [key, sanitizeObject(value)]; } return [key, value]; }) ); }, "sanitizeObject"); var escapeHTML = /* @__PURE__ */ __name((text) => { if (!text) return ""; return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;"); }, "escapeHTML"); var sanitizeUrl = /* @__PURE__ */ __name((url) => { if (!url) return "#"; const trimmed = String(url).trim(); const lower = trimmed.toLowerCase(); if (/^(javascript|data|vbscript):/.test(lower)) { return "#"; } if (trimmed.startsWith("/") || trimmed.startsWith("./") || trimmed.startsWith("../") || trimmed.startsWith("#")) { return trimmed; } if (lower.startsWith("mailto:")) { return trimmed; } if (lower.startsWith("http://") || lower.startsWith("https://")) { return trimmed; } if (/^[\w-]+(\.[\w-]+)+([\/?#].*)?$/.test(trimmed)) { return `https://${trimmed}`; } return "#"; }, "sanitizeUrl"); // src/index.ts var safeDisplay = { text: /* @__PURE__ */ __name((value) => { if (value === void 0 || value === null) return ""; const textValue = String(value); return escapeHTML(textValue); }, "text"), html: /* @__PURE__ */ __name((content, allowedTags) => { return { __html: sanitizeHTML(content, allowedTags) }; }, "html"), url: /* @__PURE__ */ __name((url) => { return sanitizeUrl(url); }, "url") }; export { escapeHTML, safeDisplay, sanitizeHTML, sanitizeObject, sanitizeString, sanitizeUrl }; //# sourceMappingURL=index.mjs.map