Secure XSS Filters
=================
Just sufficient output filtering to prevent XSS!

[![npm version][npm-badge]][npm]
[![dependency status][dep-badge]][dep-status]
![Build Status](https://travis-ci.org/yahoo/xss-filters)

[npm]: https://www.npmjs.org/package/xss-filters
[npm-badge]: https://img.shields.io/npm/v/xss-filters.svg?style=flat-square
[dep-status]: https://david-dm.org/yahoo/xss-filters
[dep-badge]: https://img.shields.io/david/yahoo/xss-filters.svg?style=flat-square

Goals

- More Secure. Context-dependent output filters that are developer-friendly. It is safe to apply these filters like so:

document.write("" + xssFilters.uriInHTMLData(url) + "");

In this example, the traditional wisdom of blindly escaping some special html entity characters (& < > ' " ` `) would not stop XSS (e.g., when url is equal to javascript:alert(1) or onclick=alert(1)).

- Faster with Just Sufficient Encoding. Encode the minimal set of characters to thwart JavaScript executions, thus preventing XSS attacks while keeping most characters intact. Compared to the traditional blindly escape filter, our filters are up to two times faster, and there is no more double-encoding problems such as '&lt;'!!

!alt Visualizing the concept of just sufficient encoding Figure 1. "Just sufficient" encoding based on the HTML5 spec.

`Design`


- Automation. Nothing can be better than applying context-sensitive output escaping automatically. Integration with Handlebars template engine is now available. Check out express-secure-handlebars for server-side use, or secure-handlebars for client-side use.
- Standards Compliant. The XSS filters are designed primarily based on the modern HTML 5 Specification. The principle is to escape characters specific to each non-scriptable output context. Hence, untrusted inputs, once sanitized by context-sensitive escaping, cannot break out from the containing context. This approach stops malicious inputs from being executed as scripts, and also prevents the age-old problem of over/double-encoding.
- Carefully Designed. Every filter is heavily scrutinized by Yahoo Security Engineers. The specific sets of characters that require encoding are minimized to preserve usability to the greatest extent possible.
Quick Start
$3

Install the xss-filters npm, and include it as a dependency for your project.`sh npm install xss-filters --save`

Require xss-filters, and you may use it with your favorite template engine. Or just use it directly:

`javascript var express = require('express'); var app = express(); var xssFilters = require('xss-filters');

app.get('/', function(req, res){ var firstname = req.query.firstname; //an untrusted input collected from user res.send('

`Hello, ' + xssFilters.inHTMLData(firstname) + '!`

');
});

app.listen(3000);`

`$3`

Simply download the latest minified version from the dist/ folder OR from the CDN. Embed it in your HTML file, and all filters are available in a global object called xssFilters.

`html ...`

API Documentations -------

`$3`

(1) Filters MUST ONLY be applied to UTF-8-encoded documents.

(2) DON'T apply any filters inside any scriptable contexts, i.e., xss-filters - npm explorer

xss-filters

v1.2.7

Secure XSS Filters - Just sufficient output filtering to prevent XSS!

xss output filter sanitize sanitise escape encode filter context-aware context-sensitive security

141.9K/weekUpdated 3 years ago

Published by Adonis Fung

npm install xss-filters

Repository Homepage npm

Secure XSS Filters
=================
Just sufficient output filtering to prevent XSS!

[![npm version][npm-badge]][npm]
[![dependency status][dep-badge]][dep-status]
![Build Status](https://travis-ci.org/yahoo/xss-filters)

Goals

- More Secure. Context-dependent output filters that are developer-friendly. It is safe to apply these filters like so:

document.write("" + xssFilters.uriInHTMLData(url) + "");

!alt Visualizing the concept of just sufficient encoding Figure 1. "Just sufficient" encoding based on the HTML5 spec.

`Design`


- Automation. Nothing can be better than applying context-sensitive output escaping automatically. Integration with Handlebars template engine is now available. Check out express-secure-handlebars for server-side use, or secure-handlebars for client-side use.
- Standards Compliant. The XSS filters are designed primarily based on the modern HTML 5 Specification. The principle is to escape characters specific to each non-scriptable output context. Hence, untrusted inputs, once sanitized by context-sensitive escaping, cannot break out from the containing context. This approach stops malicious inputs from being executed as scripts, and also prevents the age-old problem of over/double-encoding.
- Carefully Designed. Every filter is heavily scrutinized by Yahoo Security Engineers. The specific sets of characters that require encoding are minimized to preserve usability to the greatest extent possible.
Quick Start
$3

Install the xss-filters npm, and include it as a dependency for your project.`sh npm install xss-filters --save`

Require xss-filters, and you may use it with your favorite template engine. Or just use it directly:

`javascript var express = require('express'); var app = express(); var xssFilters = require('xss-filters');

app.get('/', function(req, res){ var firstname = req.query.firstname; //an untrusted input collected from user res.send('

`Hello, ' + xssFilters.inHTMLData(firstname) + '!`

');
});

app.listen(3000);`

`$3`

Simply download the latest minified version from the dist/ folder OR from the CDN. Embed it in your HTML file, and all filters are available in a global object called xssFilters.

`html ...`

API Documentations -------

`$3`

(1) Filters MUST ONLY be applied to UTF-8-encoded documents.

(2) DON'T apply any filters inside any scriptable contexts, i.e.,