npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

safescript

v0.2.0

Published

Safe way to embed your script in HTML

Downloads

40

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

eadidenkoeadidenkorsedykhrsedykhuploadcare-useruploadcare-usernd0utnd0ut

Keywords

Readme

SafeScript

SafeScript is one of the ways to avoid the by-design <script> HTML element vulnerability. Check out this article to learn more.

Long story short, unlike any other HTML tag, <script> implies different rules of escaping its content. The proper escaping is unreasonably difficult and can even be impossible under certain circumstances.

The problems with escaping often make the <script> element a source of vulnerabilities.

Instead of following uncertain rules, you can use <safescript> which follows regular HTML escaping rules via HTML entities.

For example, your EJS template could look like this:

<script>
  window.__INITIAL_STATE__ = <%- JSON.stringify(initialState) %>;
</script>

Which then makes your HTML look like that:

<script>
  window.__INITIAL_STATE__ = {
    "user": {
      "name": "</script><script>alert(document.location)</script>"
    }
  };
</script>

The valid JavaScript code above is not so valid from the HTML specs perspective: it contains a vulnerability.

With <safescript>, you must escape every special HTML character with a respective HTML entity. But once you do it, you can be sure all the script content will be decoded correctly.

To install SafeScript, simply run:

$ npm install safescript

Then, use <safescript> in the same manner as <script>:

<script src="./node_modules/safescript/index.js"></script>
<safescript>
  window.__INITIAL_STATE__ = <%= JSON.stringify(initialState) %>;
</safescript>

And here is how your actual HTML will look like:

<script src="./node_modules/safescript/index.js"></script>
<safescript>
  window.__INITIAL_STATE__ = {
    &#34;user&#34;: {
      &#34;name&#34;:&#34;&lt;/script&gt;&lt;script&gt;alert(document.location)&lt;/script&gt;&#34;
    }
  };
</safescript>