diff options
Diffstat (limited to 'static/js/security.js')
-rw-r--r-- | static/js/security.js | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/static/js/security.js b/static/js/security.js new file mode 100644 index 00000000..6f42d051 --- /dev/null +++ b/static/js/security.js @@ -0,0 +1,54 @@ +/** + * Copyright 2009 Google Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS-IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +var HTML_ENTITY_MAP = { + '&': '&' +, '<': '<' +, '>': '>' +, '"': '"' +, "'": ''' +, '/': '/' +}; + +// OSWASP Guidlines: &, <, >, ", ' plus forward slash. +var HTML_CHARACTERS_EXPRESSION = /[&"'<>\/]/g; +function escapeHTML(text) { + return text && text.replace(HTML_CHARACTERS_EXPRESSION, function (c) { + return HTML_ENTITY_MAP[c] || c; + }); +} + +// OSWASP Guidlines: escape all non alphanumeric characters in ASCII space. +var HTML_ATTRIBUTE_CHARACTERS_EXPRESSION = + /[\x00-\x2F\x3A-\x40\5B-\x60\x7B-\xFF]/g; +function escapeHTMLAttribute(text) { + return text && text.replace(HTML_ATTRIBUTE_CHARACTERS_EXPRESSION, function (c) { + return "&#x" + ('00' + c.charCodeAt(0).toString(16)).slice(-2) + ";"; + }); +}; + +// OSWASP Guidlines: escape all non alphanumeric characters in ASCII space. +var JAVASCRIPT_CHARACTERS_EXPRESSION = + /[\x00-\x2F\x3A-\x40\5B-\x60\x7B-\xFF]/g; +function escapeJavaScriptData(text) { + return text && text.replace(JAVASCRIPT_CHARACTERS_EXPRESSION, function (c) { + return "\\x" + ('00' + c.charCodeAt(0).toString(16)).slice(-2); + }); +} + +exports.escapeHTML = escapeHTML; +exports.escapeHTMLAttribute = escapeHTMLAttribute; +exports.escapeJavaScriptData = escapeJavaScriptData; |