esapi / node-esapi Goto Github PK
View Code? Open in Web Editor NEWA minimal port of the old, publicly archived "owasp-esapi-js" (Enterprise Security API for JavaScript) encoder.
License: MIT License
A minimal port of the old, publicly archived "owasp-esapi-js" (Enterprise Security API for JavaScript) encoder.
License: MIT License
So I have been working on an chat project on Replit called Butzbach Chat that used Node.js. It uses the Socket.IO library, which is very useful. I also have Express and HTTP modules installed. Then I got a comment about the website is open to XSS. So I looked it up and used OWASP's website for the DOM-based XSS cheat sheet. I came across the node-esapi
module and I am using it. I imported the library using ESAPI
as the variable name. I used app.use(ESAPI.middleware());
to use ESAPI client scripts, and I used org.owasp.esapi.ESAPI.initialize()
in the client script to use the functions. However, when I used $ESAPI.encoder().encodeForJS()
, the developer console showed the following.
I am using the latest version of Google Chrome. I went to check esapi.js
and found that the function doesn't exist.
I can use the other 2 functions for JavaScript, but can you add the encodeForJS
definition for the client scripts?
Hi Karl - this is awesome! I haven't seen some of this code in ages! :) I would love to move this project over to the official ESAPI Github and help foster some community involvement in the project!
If you would like to get this moving let me know and we'll get it moved over! Great work by the way!
The function encodeForHTMLAttribute
encodes the symbol '@' too. However, if we have such an element:
<input id="email" autocomplete="off" type="email" placeholder="[email protected]" class="form-control" name="email" value="[email protected]" maxlength="100" autofocus="">
then encodeForHTMLAttribute
encodes '[email protected]' it to user@example.com
.
What is the right way to encode this value so it looks like [email protected]
?
Thanks,
The node-esapi repo does not contain any CONTRIBUTING.md guidelines. We (as a corporation) are preparing a PR bringing more code to node-esapi from owasp-esapi-js code (also adding bug fixes & a test harness), and are wondering wether we need to undergo any kind of constraint (document sign-off... etc) before submitting the code.
Thanks
xxxx
Try npm i --save-dev @types/node-esapi
if it exists or add a new declaration (.d.ts) file containing declare module 'node-esapi';
ts(7016)
The npm package published does not have license field in package.json. Because of this tools like Blackduck and snyk.io report "License Not Found".
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.