(please excuse my poor English, I'll try to make myself clear as much as possible, thanks!)
I'm not an advanced user. I want to block any internal javascript (Internal Style Sheet) code, but allow all external .js files
You can disable inline javascript using the UserCSP addon in Firefox. If you set up a CSP for a site it will by default block inline JS and functions that create js from strings like eval.
https://addons.mozilla.org/en-US/firefox/addon/newusercspdesign/
Related
I use CSS Variables in my NativeScript-Vue App, as described in the official documentation. I am looking for a way to read the value of a variable using JavaScript. Since there is no real browser engine, the established way doesn't work.
There is not much documentation, but there actually is a method mentioned in the API documentation: Style.getCssVariable(name). Using this method you can read CSS Variables, defined in the app.[s]css like this:
const color = this.$root.nativeView.style.getCssVariable('--color-primary')
console.log(color); // e.g. '#FF0000'
I would have expected this to also work on this.$el, but for some reason, this will only return null in my setup, allthough the variables are in the global scope and available in the style of the very same component. Maybe someone else can clarify, why this is.
in app.css
.main{
--primary: #02AC46;
--secondary: #ED7200;
}
in any .css
background-color: var(--primary);
In my meteor project I can separate the javascript files in the client and server directories. But I cannot find a solution for all the html templates I need to define.
The problem I have now is that I need to embed this svg image in a template too, which is a huge image. So now I have this html file which is now 2 times 'huge' :)
The reason I need to have this svg inline in my html/template is because I need to style it with css. Any suggestions ?
You can put the .html files anywhere! Besides the server directory, of course. The natural place to store them is the client folder, and a good practice is to keep each template in a separate file. The Javascript code related to that template (data helpers, events, callbacks) can then go to a file with the same name and with extension .js instead of .html. These are the basics if you want to keep your project tidy.
What bit bothers me about django, is that I see in many examples that raw javascript is included in html with <script> tag. I would like to have it in independent files which are included in every page in <head> tag so that html stays clean. So that I will call something like {% add_jscript %}some js code{% endaddjsscript %} anywhere in the template to add js code. After all processing when the page is generated and it will dynamically collects all portions of added js code from processed templates and serve it as one js file.
Some app already does this or am I forced to do this on my own ?
I use django-sekizai (https://github.com/ojii/django-sekizai/) for this kind of thing. If I understand you correctly, I believe that is what you are looking for.
I know I'm a bit late to the party, but another option you could try (shameless plug) is a django app i've been working on which will allow you to inject django variables directly into external javascript files, a la Require.js
django-js-variable-injector
I am having a lot of scripts written inline along with the HTML. Now, I am trying move the scripts to an external file. But, most of my scripts uses django variables and if.else statements. So, I am not able to move these scripts to an external files. Is it possible to use django template variables/conditions in scripts loaded from external file?
What you are asking for is a client-side include, in order to ultimately retain the external file as a "link". That means the main page loads, and then the external content is loaded, all client side. Yet you want the include to be django-processed.
Django templates are rendered server-side, meaning that they have to be evaluated with the context, server side. The main page has to fold the includes into it in order to serve it to the client. Thus, what you are asking for is possible, if you accept that you can keep your content in external files, but they will be rendered in the same page.
Otherwise, you would have to do something more complicated like have javascript load the external pages, passing the same context information back to the server, which can render the template through a different url endpoint. Or just rely on the session data, and have the other url render its page completely on its own.
Did you use include. Make an another html file and include it parent template.
You can pass additional context to the template using keyword arguments:
{% include "name_snippet.html" with person="Jane" greeting="Hello" %}
Any idea how one would go about preventing XSS attacks on a node.js app? Any libs out there that handle removing javascript in hrefs, onclick attributes,etc. from POSTed data?
I don't want to have to write a regex for all that :)
Any suggestions?
I've created a module that bundles the Caja HTML Sanitizer
npm install sanitizer
http://github.com/theSmaw/Caja-HTML-Sanitizer
https://www.npmjs.com/package/sanitizer
Any feedback appreciated.
One of the answers to Sanitize/Rewrite HTML on the Client Side suggests borrowing the whitelist-based HTML sanitizer in JS from Google Caja which, as far as I can tell from a quick scroll-through, implements an HTML SAX parser without relying on the browser's DOM.
Update: Also, keep in mind that the Caja sanitizer has apparently been given a full, professional security review while regexes are known for being very easy to typo in security-compromising ways.
Update 2017-09-24: There is also now DOMPurify. I haven't used it yet, but it looks like it meets or exceeds every point I look for:
Relies on functionality provided by the runtime environment wherever possible. (Important both for performance and to maximize security by relying on well-tested, mature implementations as much as possible.)
Relies on either a browser's DOM or jsdom for Node.JS.
Default configuration designed to strip as little as possible while still guaranteeing removal of javascript.
Supports HTML, MathML, and SVG
Falls back to Microsoft's proprietary, un-configurable toStaticHTML under IE8 and IE9.
Highly configurable, making it suitable for enforcing limitations on an input which can contain arbitrary HTML, such as a WYSIWYG or Markdown comment field. (In fact, it's the top of the pile here)
Supports the usual tag/attribute whitelisting/blacklisting and URL regex whitelisting
Has special options to sanitize further for certain common types of HTML template metacharacters.
They're serious about compatibility and reliability
Automated tests running on 16 different browsers as well as three diffferent major versions of Node.JS.
To ensure developers and CI hosts are all on the same page, lock files are published.
All usual techniques apply to node.js output as well, which means:
Blacklists will not work.
You're not supposed to filter input in order to protect HTML output. It will not work or will work by needlessly malforming the data.
You're supposed to HTML-escape text in HTML output.
I'm not sure if node.js comes with some built-in for this, but something like that should do the job:
function htmlEscape(text) {
return text.replace(/&/g, '&').
replace(/</g, '<'). // it's not neccessary to escape >
replace(/"/g, '"').
replace(/'/g, ''');
}
I recently discovered node-validator by chriso.
Example
get('/', function (req, res) {
//Sanitize user input
req.sanitize('textarea').xss(); // No longer supported
req.sanitize('foo').toBoolean();
});
XSS Function Deprecation
The XSS function is no longer available in this library.
https://github.com/chriso/validator.js#deprecations
You can also look at ESAPI. There is a javascript version of the library. It's pretty sturdy.
In newer versions of validator module you can use the following script to prevent XSS attack:
var validator = require('validator');
var escaped_string = validator.escape(someString);
Try out the npm module strip-js. It performs the following actions:
Sanitizes HTML
Removes script tags
Removes attributes such as "onclick", "onerror", etc. which contain JavaScript code
Removes "href" attributes which contain JavaScript code
https://www.npmjs.com/package/strip-js
Update 2021-04-16: xss is a module used to filter input from users to prevent XSS attacks.
Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist.
Visit https://www.npmjs.com/package/xss
Project Homepage: http://jsxss.com
You should try library npm "insane".
https://github.com/bevacqua/insane
I try in production, it works well. Size is very small (around ~3kb gzipped).
Sanitize html
Remove all attributes or tags who evaluate js
You can allow attributes or tags that you don't want sanitize
The documentation is very easy to read and understand.
https://github.com/bevacqua/insane