esapi / node-esapi Goto Github PK

So I have been working on an chat project on Replit called Butzbach Chat that used Node.js. It uses the Socket.IO library, which is very useful. I also have Express and HTTP modules installed. Then I got a comment about the website is open to XSS. So I looked it up and used OWASP's website for the DOM-based XSS cheat sheet. I came across the node-esapi module and I am using it. I imported the library using ESAPI as the variable name. I used app.use(ESAPI.middleware()); to use ESAPI client scripts, and I used org.owasp.esapi.ESAPI.initialize() in the client script to use the functions. However, when I used $ESAPI.encoder().encodeForJS(), the developer console showed the following.

I am using the latest version of Google Chrome. I went to check esapi.js and found that the function doesn't exist.

I can use the other 2 functions for JavaScript, but can you add the encodeForJS definition for the client scripts?

Hi Karl - this is awesome! I haven't seen some of this code in ages! :) I would love to move this project over to the official ESAPI Github and help foster some community involvement in the project!

https://github.com/ESAPI

If you would like to get this moving let me know and we'll get it moved over! Great work by the way!

The function encodeForHTMLAttribute encodes the symbol '@' too. However, if we have such an element:

<input id="email" autocomplete="off" type="email" placeholder="[email protected]" class="form-control" name="email" value="[email protected]" maxlength="100" autofocus="">

then encodeForHTMLAttribute encodes '[email protected]' it to user@example.com.
What is the right way to encode this value so it looks like [email protected]?

Thanks,

@DeadAlready & @chrisisbeef ,

The node-esapi repo does not contain any CONTRIBUTING.md guidelines. We (as a corporation) are preparing a PR bringing more code to node-esapi from owasp-esapi-js code (also adding bug fixes & a test harness), and are wondering wether we need to undergo any kind of constraint (document sign-off... etc) before submitting the code.

Thanks

xxxx

Try npm i --save-dev @types/node-esapi if it exists or add a new declaration (.d.ts) file containing declare module 'node-esapi';ts(7016)

The npm package published does not have license field in package.json. Because of this tools like Blackduck and snyk.io report "License Not Found".