├── .gitignore
├── .jshintrc
├── .travis.yml
├── README.md
├── bower.json
├── gulpfile.js
├── index.html
├── index.js
├── karma.conf-ci.js
├── karma.conf.js
├── package.json
├── page
    ├── index.html
    └── xss.js
├── references.md
├── securitySpec.md
└── test
    ├── htmlPaser.test.js
    ├── substitution.test.js
    └── xss.test.js


/.gitignore:
--------------------------------------------------------------------------------
1 | node_modules
2 | .DS_Store
3 | coverage
4 | sauce_connect.log
5 | .env


--------------------------------------------------------------------------------
/.jshintrc:
--------------------------------------------------------------------------------
 1 | {
 2 |     "bitwise"       : false,    // Prohibit bitwise operators (&, |, ^, etc.).
 3 |     "curly"         : true,     // Require {} for every new block or scope.
 4 |     "eqeqeq"        : true,     // Require triple equals i.e. `===`.
 5 |     "forin"         : true,     // Tolerate `for in` loops without `hasOwnPrototype`.
 6 |     "immed"         : true,     // Require immediate invocations to be wrapped in parens e.g. `( function(){}() );`
 7 |     "latedef"       : false,    // Prohibit variable use before definition.
 8 |     "newcap"        : true,     // Require capitalization of all constructor functions e.g. `new F()`.
 9 |     "noarg"         : true,     // Prohibit use of `arguments.caller` and `arguments.callee`.
10 |     "noempty"       : true,     // Prohibit use of empty blocks.
11 |     "nonew"         : true,     // Prohibit use of constructors for side-effects.
12 |     "plusplus"      : false,    // Prohibit use of `++` & `--`.
13 |     "regexp"        : true,     // Prohibit `.` and `[^...]` in regular expressions.
14 |     "undef"         : false,    // Require all non-global variables be declared before they are used.
15 |     "strict"        : true,     // Require `use strict` pragma in every file.
16 |     "trailing"      : true,     // Prohibit trailing whitespaces.
17 |     "browser"       : true,     // Standard browser globals e.g. `window`, `document`.
18 |     "boss"          : true ,    // Suppress warnings about assignments in comparisons
19 |     "esversion"     : 6         // Use ECMAScript 6 specific syntax
20 | }


--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
 1 | language: node_js
 2 | node_js:
 3 |   - "4.0"
 4 | addons:
 5 |   firefox: "42.0"
 6 | before_script:
 7 |   - "export DISPLAY=:99.0"
 8 |   - "sh -e /etc/init.d/xvfb start"
 9 |   - sleep 3 # give xvfb some time to start
10 | after_script: "cat ./coverage/lcov.info | ./node_modules/coveralls/bin/coveralls.js"


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | [![Build Status](https://travis-ci.org/straker/html-tagged-template.svg?branch=master)](https://travis-ci.org/straker/html-tagged-template)
  2 | [![Coverage Status](https://coveralls.io/repos/github/straker/html-tagged-template/badge.svg?branch=master)](https://coveralls.io/github/straker/html-tagged-template?branch=master)
  3 | 
  4 | # Proposal
  5 | 
  6 | Improve the DOM creation API so developers have a cleaner, simpler interface to DOM creation and manipulation.
  7 | 
  8 | ## Installing
  9 | 
 10 | `npm install html-tagged-template`
 11 | 
 12 | or with Bower
 13 | 
 14 | `bower install html-tagged-template`
 15 | 
 16 | ## Usage
 17 | 
 18 | ```js
 19 | let min = 0, max = 99, disabled = true;
 20 | 
 21 | // returns an <input> tag with all attributes set
 22 | // the use of ?= denotes an optional attribute which will only be added if the
 23 | // value is true
 24 | let el = html`<input type="number" min="${min}" max="${max}" name="number" id="number" class="number-input" disabled?="${disabled}"/>`;
 25 | document.body.appendChild(el);
 26 | 
 27 | // returns a DocumentFragment with two <tr> elements as children
 28 | let el = html`<tr></tr><tr></tr>`
 29 | document.body.appendChild(el);
 30 | ```
 31 | 
 32 | ### Optional Attributes
 33 | 
 34 | To add an attribute only when it's value is true (such as `disabled`), use `attrName?="${value}"`. If the value is true, the attribute will be added in the output, otherwise it will be omitted from the output.
 35 | 
 36 | ## Contributing
 37 | 
 38 | The only way this proposal will continue forward is with help from the community. If you would like to see the `html` function in the web, please upvote the [proposal on the W3C DOM repo](https://github.com/whatwg/dom/issues/150).
 39 | 
 40 | If you find a bug or an XSS case that should to be handled, please submit an issue, or even better a PR with the relevant code to reproduce the error in the [xss test](test/xss.test.js).
 41 | 
 42 | ## Problem Space
 43 | 
 44 | The DOM creation API is a bit cumbersome to work with. To create a single element with several attributes requires several lines of code that repeat the same thing. The DOM selection API has received needed features that allow developers to do most DOM manipulation without needing a library. However, the DOM creation API still leaves something to be desired which sways developers from using it.
 45 | 
 46 | Below are just a few examples of how DOM creation requires multiple lines of code to accomplish simple tasks and how developers tend to work around the API to gain access to a much simpler interface.
 47 | 
 48 | ```js
 49 | /*
 50 |   Create a single element with attributes:
 51 |   <input type="number" min="0" max="99" name="number" id="number" class="number-input" disabled/>
 52 | */
 53 | let input = document.createElement('input');
 54 | input.type = "number";
 55 | input.min = 0;
 56 | input.max = 99;
 57 | input.name = 'number';
 58 | input.id = 'number';
 59 | input.classList.add('number-input');
 60 | input.disabled = true;
 61 | document.body.appendChild(input);
 62 | 
 63 | // or the hacky way - create a throwaway parent node just to use innerHTML
 64 | let div = document.createElement('div');
 65 | div.innerHTML = '<input type="number" min="0" max="99" name="number" id="number" class="number-input" disabled/>';
 66 | document.body.appendChild(div.firstChild);
 67 | 
 68 | 
 69 | /*
 70 |    Create an element with child elements:
 71 |    <div class="container">
 72 |      <div class="row">
 73 |        <div class="col">
 74 |          <div>Hello</div>
 75 |        </div>
 76 |      </div>
 77 |    </div>
 78 |  */
 79 | // use document fragment to batch appendChild calls for good performance
 80 | let frag = document.createDocumentFragment();
 81 | let div = document.createElement('div');
 82 | div.classList.add('container');
 83 | frag.appendChild(div);
 84 | 
 85 | let row = document.createElement('div');
 86 | row.classList.add('row');
 87 | div.appendChild(row);
 88 | 
 89 | let col = document.createElement('div');
 90 | col.classList.add('col');
 91 | row.appendChild(col);
 92 | 
 93 | let child = document.createElement('div');
 94 | child.appendChild(document.createTextNode('Hello'));  // or child.textContext = 'Hello';
 95 | col.appendChild(child);
 96 | document.body.appendChild(frag);
 97 | 
 98 | // or the convenient way using innerHTML
 99 | let div = document.createElement('div');
100 | div.classList.add('container');
101 | div.innerHTML = '<div class="row"><div class="col"><div>Hello</div></div></div>';
102 | document.body.appendChild(div);
103 | 
104 | 
105 | /*
106 |    Create sibling elements to be added to a parent element:
107 |    <!-- before -->
108 |    <ul id="list">
109 |      <li>Car</li>
110 |    </ul>
111 | 
112 |    <!-- after -->
113 |    <ul id="list">
114 |      <li>Car</li>
115 |      <li>Plane</li>
116 |      <li>Boat</li>
117 |      <li>Bike</li>
118 |    </ul>
119 |  */
120 | let frag = document.createDocumentFragment();
121 | let li = document.createElement('li');
122 | li.textContent = 'Plane';
123 | frag.appendChild(li);
124 | 
125 | li = document.createElement('li');
126 | li.textContent = 'Boat';
127 | frag.appendChild(li);
128 | 
129 | li = document.createElement('li');
130 | li.textContent = 'Bike';
131 | frag.appendChild(li);
132 | document.querySelector('#list').appendChild(frag);
133 | 
134 | // or if you have the ability to create it through a loop
135 | let frag = document.createDocumentFragment();
136 | ['Plane', 'Boat', 'Bike'].forEach(function(item) {
137 |   let li = document.createElement('li');
138 |   li.textContent = item;
139 |   frag.appendChild(li);
140 | });
141 | document.querySelector('#list').appendChild(frag);
142 | ```
143 | 
144 | ## Proposed Solution
145 | 
146 | We propose that a global tagged template string function called `html` provide the interface to accept template strings as input and return the parsed DOM elements.
147 | 
148 | ```js
149 | let min = 0, max = 99, disabled = true, text = 'Hello';
150 | 
151 | // single element with attributes
152 | html`<input type="number" min="${min}" max="${max}" name="number" id="number" class="number-input" disabled?="${disabled}"/>`;
153 | 
154 | // single element with child elements
155 | html`<div class="container">
156 |   <div class="row">
157 |     <div class="col">
158 |       <div>${text}</div>
159 |     </div>
160 |   </div>
161 | </div>`;
162 | 
163 | // sibling elements
164 | html`<li>Plane</li>
165 |      <li>Boat</li>
166 |      <li>Bike</li>`;
167 | ```
168 | 
169 | ## Goals
170 | 
171 | 1. [Easy to Use](#easy-to-use)
172 | 1. [Secure](#secure)
173 | 
174 | ### Easy to Use
175 | 
176 | This proposal wouldn't exist if creating the DOM was easy. Any improvement to the DOM creation API would essentially need to replace `innerHTML` with something better and just as easy (if not easier), otherwise developers will continue to use it to work around the API.
177 | 
178 | #### Proposed Solution
179 | 
180 | To solve this problem, we propose a new API that will allow developers to create single, sibling, or nested child nodes with a single function call. With the addition of template strings to ECMAScript 2015, [we and others](https://lists.w3.org/Archives/Public/www-dom/2011OctDec/0170.html) feel that they are the cleanest, simplest, and most intuitive interface for DOM creation.
181 | 
182 | ECMAScript 2015 also introduced [tagged template strings](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/template_strings#Tagged_template_strings) which would allow a function to accept a template string as input and return DOM. Tagged template strings also have the advantage that they can understand where variables were used in the string and be able to apply security measures to prevent XSS.
183 | 
184 | #### Other Solutions
185 | 
186 | ##### Object-like notation
187 | 
188 | Object-like notation applies object literals to DOM creation. Instead of using a string of HTML, object-like notation uses property names and values to construct a DOM object.
189 | 
190 | ```js
191 | createElement('input', {type: 'number', min: 0, max: 99, name: 'number', id: 'number', className: 'number-input', disabled: true, inside: document.body});
192 | ```
193 | 
194 | However, this solution suffers from a few problems. First, it tends to combine content attributes (HTML attributes such as `id` or `name`) with IDL attributes (JavaScript properties such as `textContent` or `className`) which can lead to developer confusion as they don't know which attribute to use or how. For example, `class` is a reserved word in JavaScript and couldn't be used as a property name, even though it is a content attribute, unless it was always quoted. It also tends to add helper attributes (such as `contents`) which add to the confusion.
195 | 
196 | Second, it adds verbosity and complexity to the creation of nested nodes that provide only a slightly better interface to DOM creation than the standard `createElement` and `appendChild` methods. Since developers already use `innerHTML` to avoid these methods, it would seem unlikely that they would give up the convenience of `innerHTML` for a something more complex and verbose.
197 | 
198 | ```js
199 | createElement('div', {className: 'container', inside: document.body, contents: [
200 |   {tag: 'div', className: 'row', contents: [
201 |     {tag: 'div', className: 'col', contents: [
202 |       {tag: 'div', contents: ['Hello']}
203 |     ]}
204 |   ]}
205 | ]});
206 | ```
207 | 
208 | ### Secure
209 | 
210 | XSS attacks via string concatenation are among the most prevalent types of security threats the web development world faces. Tagged template strings provide a unique opportunity to make creating DOM much more secure than string concatenation ever could. Tagged template strings know exactly where the user substitution expressions are located in the string, enabling us to apply preventative measures to help ensure the resulting DOM is safe from XSS attacks.
211 | 
212 | #### Proposed Solution
213 | 
214 | There have been two proposed solutions for making template strings secure against XSS: [E4H](http://www.hixie.ch/specs/e4h/strawman), championed by Ian Hixie, and [contextual auto escaping](https://js-quasis-libraries-and-repl.googlecode.com/svn/trunk/safetemplate.html#security_under_maintenance), championed by Mike Samuel.
215 | 
216 | E4H uses an AST to construct the DOM, ensuring that substitutions are made safe against element and attribute injection. Contextual auto escaping tries to understand the context of the attribute or element in the DOM and correctly escape the substitution based on it's context.
217 | 
218 | We propose combining the best ideas from both E4H and contextual auto escaping and avoiding the problems that both encountered. First, the template string is sanitized by removing all substitution expressions (and all XSS attack vectors with them), while leaving placeholders in the resulting string that identify the substitution that belonged there. Next, the string is passed to an HTML `template` tag using `innerHTML`, which runs the string through the HTML parser and properly creates elements out of context (such as `<tr>` elements). Finally, all placeholders are identified and replaced with their substitution expression using the DOM APIs `createElement`, `createTextNode`, and `setAttribute`, and then using contextual auto escaping to prevent further XSS attack vectors.


--------------------------------------------------------------------------------
/bower.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "html-tagged-template",
 3 |   "description": "Proposal to improve the DOM creation API so developers have a cleaner, simpler interface to DOM creation and manipulation.",
 4 |   "keywords": [
 5 |     "proposal",
 6 |     "HTML",
 7 |     "DOM",
 8 |     "tagged",
 9 |     "template",
10 |     "string"
11 |   ],
12 |   "authors": [
13 |     "Steven Lambert <steven@sklambert.com> (http://sklambert.com/)",
14 |     "Josh Crowther <jshcrowthe@gmail.com>"
15 |   ],
16 |   "homepage": "https://github.com/straker/html-tagged-template",
17 |   "repository": {
18 |     "type": "git",
19 |     "url": "https://github.com/straker/html-tagged-template.git"
20 |   },
21 |   "main": [
22 |     "index.js",
23 |     "index.html"
24 |   ],
25 |   "moduleType": "globals",
26 |   "license": "MIT",
27 |   "ignore": [
28 |     "**/.*",
29 |     "node_modules",
30 |     "bower_components",
31 |     "test",
32 |     "tests"
33 |   ]
34 | }
35 | 


--------------------------------------------------------------------------------
/gulpfile.js:
--------------------------------------------------------------------------------
 1 | var gulp = require('gulp');
 2 | var jshint = require('gulp-jshint');
 3 | var Server = require('karma').Server;
 4 | var connect = require('gulp-connect');
 5 | 
 6 | gulp.task('lint', function() {
 7 |   return gulp.src('index.js')
 8 |     .pipe(jshint())
 9 |     .pipe(jshint.reporter('jshint-stylish'))
10 | });
11 | 
12 | gulp.task('test', function(done) {
13 |   new Server({
14 |     configFile: __dirname + '/karma.conf.js',
15 |   }, done).start();
16 | });
17 | 
18 | gulp.task('test-ci', function(done) {
19 |   new Server({
20 |     configFile: __dirname + '/karma.conf-ci.js',
21 |   }, done).start();
22 | });
23 | 
24 | gulp.task('connect', function() {
25 |   connect.server({
26 |     livereload: true
27 |   });
28 | });
29 | 
30 | gulp.task('watch', function() {
31 |   gulp.watch('index.js', ['lint']);
32 | });
33 | 
34 | gulp.task('default', ['lint', 'test', 'watch']);


--------------------------------------------------------------------------------
/index.html:
--------------------------------------------------------------------------------
1 | <script src="./index.js"></script>
2 | 


--------------------------------------------------------------------------------
/index.js:
--------------------------------------------------------------------------------
  1 | (function(window) {
  2 | "use strict";
  3 | 
  4 | // test for es6 support of needed functionality
  5 | try {
  6 |   // template tag and Array.from support
  7 |   if (!('content' in document.createElement('template') && 'from' in Array)) {
  8 |     throw new Error();
  9 |   }
 10 | }
 11 | catch (e) {
 12 |   // missing support;
 13 |   console.log('Your browser does not support the needed functionality to use the html tagged template');
 14 |   return;
 15 | }
 16 | 
 17 | if (typeof window.html === 'undefined') {
 18 | 
 19 |   // --------------------------------------------------
 20 |   // constants
 21 |   // --------------------------------------------------
 22 | 
 23 |   const SUBSTITUTION_INDEX = 'substitutionindex:';  // tag names are always all lowercase
 24 |   const SUBSTITUTION_REGEX = new RegExp(SUBSTITUTION_INDEX + '([0-9]+):', 'g');
 25 | 
 26 |   // rejection string is used to replace xss attacks that cannot be escaped either
 27 |   // because the escaped string is still executable
 28 |   // (e.g. setTimeout(/* escaped string */)) or because it produces invalid results
 29 |   // (e.g. <h${xss}> where xss='><script>alert(1337)</script')
 30 |   // @see https://developers.google.com/closure/templates/docs/security#in_tags_and_attrs
 31 |   const REJECTION_STRING = 'zXssPreventedz';
 32 | 
 33 |   // which characters should be encoded in which contexts
 34 |   const ENCODINGS = {
 35 |     attribute: {
 36 |       '&': '&amp;',
 37 |       '<': '&lt;',
 38 |       '>': '&gt;'
 39 |     },
 40 |     uri: {
 41 |       '&': '&amp;'
 42 |     }
 43 |   };
 44 | 
 45 |   // which attributes are DOM Level 0 events
 46 |   // taken from https://en.wikipedia.org/wiki/DOM_events#DOM_Level_0
 47 |   const DOM_EVENTS = ["onclick", "ondblclick", "onmousedown", "onmouseup", "onmouseover", "onmousemove", "onmouseout", "ondragstart", "ondrag", "ondragenter", "ondragleave", "ondragover", "ondrop", "ondragend", "onkeydown", "onkeypress", "onkeyup", "onload", "onunload", "onabort", "onerror", "onresize", "onscroll", "onselect", "onchange", "onsubmit", "onreset", "onfocus", "onblur", "onpointerdown", "onpointerup", "onpointercancel", "onpointermove", "onpointerover", "onpointerout", "onpointerenter", "onpointerleave", "ongotpointercapture", "onlostpointercapture", "oncut", "oncopy", "onpaste", "onbeforecut", "onbeforecopy", "onbeforepaste", "onafterupdate", "onbeforeupdate", "oncellchange", "ondataavailable", "ondatasetchanged", "ondatasetcomplete", "onerrorupdate", "onrowenter", "onrowexit", "onrowsdelete", "onrowinserted", "oncontextmenu", "ondrag", "ondragstart", "ondragenter", "ondragover", "ondragleave", "ondragend", "ondrop", "onselectstart", "help", "onbeforeunload", "onstop", "beforeeditfocus", "onstart", "onfinish", "onbounce", "onbeforeprint", "onafterprint", "onpropertychange", "onfilterchange", "onreadystatechange", "onlosecapture", "DOMMouseScroll", "ondragdrop", "ondragenter", "ondragexit", "ondraggesture", "ondragover", "onclose", "oncommand", "oninput", "DOMMenuItemActive", "DOMMenuItemInactive", "oncontextmenu", "onoverflow", "onoverflowchanged", "onunderflow", "onpopuphidden", "onpopuphiding", "onpopupshowing", "onpopupshown", "onbroadcast", "oncommandupdate"];
 48 | 
 49 |   // which attributes take URIs
 50 |   // taken from https://www.w3.org/TR/html4/index/attributes.html
 51 |   const URI_ATTRIBUTES = ["action", "background", "cite", "classid", "codebase", "data", "href", "longdesc", "profile", "src", "usemap"];
 52 | 
 53 |   const ENCODINGS_REGEX = {
 54 |     attribute: new RegExp('[' + Object.keys(ENCODINGS.attribute).join('') + ']', 'g'),
 55 |     uri: new RegExp('[' + Object.keys(ENCODINGS.uri).join('') + ']', 'g')
 56 |   };
 57 | 
 58 |   // find all attributes after the first whitespace (which would follow the tag
 59 |   // name. Only used when the DOM has been clobbered to still parse attributes
 60 |   const ATTRIBUTE_PARSER_REGEX = /\s([^">=\s]+)(?:="[^"]+")?/g;
 61 | 
 62 |   // test if a javascript substitution is wrapped with quotes
 63 |   const WRAPPED_WITH_QUOTES_REGEX = /^('|")[\s\S]*\1$/;
 64 | 
 65 |   // allow custom attribute names that start or end with url or ui to do uri escaping
 66 |   // @see https://developers.google.com/closure/templates/docs/security#in_urls
 67 |   const CUSTOM_URI_ATTRIBUTES_REGEX = /\bur[il]|ur[il]s?$/i;
 68 | 
 69 | 
 70 | 
 71 | 
 72 | 
 73 |   // --------------------------------------------------
 74 |   // private functions
 75 |   // --------------------------------------------------
 76 | 
 77 |   /**
 78 |    * Escape HTML entities in an attribute.
 79 |    * @private
 80 |    *
 81 |    * @param {string} str - String to escape.
 82 |    *
 83 |    * @returns {string}
 84 |    */
 85 |   function encodeAttributeHTMLEntities(str) {
 86 |     return str.replace(ENCODINGS_REGEX.attribute, function(match) {
 87 |       return ENCODINGS.attribute[match];
 88 |     });
 89 |   }
 90 | 
 91 |   /**
 92 |    * Escape entities in a URI.
 93 |    * @private
 94 |    *
 95 |    * @param {string} str - URI to escape.
 96 |    *
 97 |    * @returns {string}
 98 |    */
 99 |   function encodeURIEntities(str) {
100 |     return str.replace(ENCODINGS_REGEX.uri, function(match) {
101 |       return ENCODINGS.uri[match];
102 |     });
103 |   }
104 | 
105 | 
106 | 
107 | 
108 | 
109 |   // --------------------------------------------------
110 |   // html tagged template function
111 |   // --------------------------------------------------
112 | 
113 |   /**
114 |    * Safely convert a DOM string into DOM nodes using by using E4H and contextual
115 |    * auto-escaping techniques to prevent xss attacks.
116 |    *
117 |    * @param {string[]} strings - Safe string literals.
118 |    * @param {*} values - Unsafe substitution expressions.
119 |    *
120 |    * @returns {HTMLElement|DocumentFragment}
121 |    */
122 |   window.html = function(strings, ...values) {
123 |     // break early if called with empty content
124 |     if (!strings[0] && values.length === 0) {
125 |       return;
126 |     }
127 | 
128 |     /**
129 |      * Replace a string with substitution placeholders with its substitution values.
130 |      * @private
131 |      *
132 |      * @param {string} match - Matched substitution placeholder.
133 |      * @param {string} index - Substitution placeholder index.
134 |      */
135 |     function replaceSubstitution(match, index) {
136 |       return values[parseInt(index, 10)];
137 |     }
138 | 
139 |     // insert placeholders into the generated string so we can run it through the
140 |     // HTML parser without any malicious content.
141 |     // (this particular placeholder will even work when used to create a DOM element)
142 |     let str = strings[0];
143 |     for (let i = 0; i < values.length; i++) {
144 |       str += SUBSTITUTION_INDEX + i + ':' + strings[i+1];
145 |     }
146 | 
147 |     // template tags allow any HTML (even <tr> elements out of context)
148 |     // @see https://developer.mozilla.org/en-US/docs/Web/HTML/Element/template
149 |     let template = document.createElement('template');
150 |     template.innerHTML = str;
151 | 
152 |     // find all substitution values and safely encode them using DOM APIs and
153 |     // contextual auto-escaping
154 |     let walker = document.createNodeIterator(template.content, NodeFilter.SHOW_ALL);
155 |     let node;
156 |     while (node = walker.nextNode()) {
157 |       let tag = null;
158 |       let attributesToRemove = [];
159 | 
160 | 
161 | 
162 | 
163 | 
164 |       // --------------------------------------------------
165 |       // node name substitution
166 |       // --------------------------------------------------
167 | 
168 |       let nodeName = node.nodeName.toLowerCase();
169 |       if (nodeName.indexOf(SUBSTITUTION_INDEX) !== -1) {
170 |         nodeName = nodeName.replace(SUBSTITUTION_REGEX, replaceSubstitution);
171 | 
172 |         // createElement() should not need to be escaped to prevent XSS?
173 | 
174 |         // this will throw an error if the tag name is invalid (e.g. xss tried
175 |         // to escape out of the tag using '><script>alert(1337)</script><')
176 |         // instead of replacing the tag name we'll just let the error be thrown
177 |         tag = document.createElement(nodeName);
178 | 
179 |         // mark that this node needs to be cleaned up later with the newly
180 |         // created node
181 |         node._replacedWith = tag;
182 | 
183 |         // use insertBefore() instead of replaceChild() so that the node Iterator
184 |         // doesn't think the new tag should be the next node
185 |         node.parentNode.insertBefore(tag, node);
186 |       }
187 | 
188 |       // special case for script tags:
189 |       // using innerHTML with a string that contains a script tag causes the script
190 |       // tag to not be executed when added to the DOM. We'll need to create a script
191 |       // tag and append its contents which will make it execute correctly.
192 |       // @see http://stackoverflow.com/questions/1197575/can-scripts-be-inserted-with-innerhtml
193 |       else if (node.nodeName === 'SCRIPT') {
194 |         let script = document.createElement('script');
195 |         tag = script;
196 | 
197 |         node._replacedWith = script;
198 |         node.parentNode.insertBefore(script, node);
199 |       }
200 | 
201 | 
202 | 
203 | 
204 | 
205 |       // --------------------------------------------------
206 |       // attribute substitution
207 |       // --------------------------------------------------
208 | 
209 |       let attributes;
210 |       if (node.attributes) {
211 | 
212 |         // if the attributes property is not of type NamedNodeMap then the DOM
213 |         // has been clobbered. E.g. <form><input name="attributes"></form>.
214 |         // We'll manually build up an array of objects that mimic the Attr
215 |         // object so the loop will still work as expected.
216 |         if ( !(node.attributes instanceof NamedNodeMap) ) {
217 | 
218 |           // first clone the node so we can isolate it from any children
219 |           let temp = node.cloneNode();
220 | 
221 |           // parse the node string for all attributes
222 |           let attributeMatches = temp.outerHTML.match(ATTRIBUTE_PARSER_REGEX);
223 | 
224 |           // get all attribute names and their value
225 |           attributes = [];
226 |           for (let i = 0; i < attributeMatches.length; i++) {
227 |             let attributeName = attributeMatches[i].trim().split('=')[0];
228 |             let attributeValue = node.getAttribute(attributeName);
229 | 
230 |             attributes.push({
231 |               name: attributeName,
232 |               value: attributeValue
233 |             });
234 |           }
235 |         }
236 |         else {
237 |           // Windows 10 Firefox 44 will shift the attributes NamedNodeMap and
238 |           // push the attribute to the end when using setAttribute(). We'll have
239 |           // to clone the NamedNodeMap so the order isn't changed for setAttribute()
240 |           attributes = Array.from(node.attributes);
241 |         }
242 | 
243 |         for (let i = 0; i < attributes.length; i++) {
244 |           let attribute = attributes[i];
245 |           let name = attribute.name;
246 |           let value = attribute.value;
247 |           let hasSubstitution = false;
248 | 
249 |           // name has substitution
250 |           if (name.indexOf(SUBSTITUTION_INDEX) !== -1) {
251 |             name = name.replace(SUBSTITUTION_REGEX, replaceSubstitution);
252 | 
253 |             // ensure substitution was with a non-empty string
254 |             if (name && typeof name === 'string') {
255 |               hasSubstitution = true;
256 |             }
257 | 
258 |             // remove old attribute
259 |             attributesToRemove.push(attribute.name);
260 |           }
261 | 
262 |           // value has substitution - only check if name exists (only happens
263 |           // when name is a substitution with an empty value)
264 |           if (name && value.indexOf(SUBSTITUTION_INDEX) !== -1) {
265 |             hasSubstitution = true;
266 | 
267 |             // if an uri attribute has been rejected
268 |             let isRejected = false;
269 | 
270 |             value = value.replace(SUBSTITUTION_REGEX, function(match, index, offset) {
271 |               if (isRejected) {
272 |                 return '';
273 |               }
274 | 
275 |               let substitutionValue = values[parseInt(index, 10)];
276 | 
277 |               // contextual auto-escaping:
278 |               // if attribute is a DOM Level 0 event then we need to ensure it
279 |               // is quoted
280 |               if (DOM_EVENTS.indexOf(name) !== -1 &&
281 |                   typeof substitutionValue === 'string' &&
282 |                   !WRAPPED_WITH_QUOTES_REGEX.test(substitutionValue) ) {
283 |                 substitutionValue = '"' + substitutionValue + '"';
284 |               }
285 | 
286 |               // contextual auto-escaping:
287 |               // if the attribute is a uri attribute then we need to uri encode it and
288 |               // remove bad protocols
289 |               else if (URI_ATTRIBUTES.indexOf(name) !== -1 ||
290 |                   CUSTOM_URI_ATTRIBUTES_REGEX.test(name)) {
291 | 
292 |                 // percent encode if the value is inside of a query parameter
293 |                 let queryParamIndex = value.indexOf('=');
294 |                 if (queryParamIndex !== -1 && offset > queryParamIndex) {
295 |                   substitutionValue = encodeURIComponent(substitutionValue);
296 |                 }
297 | 
298 |                 // entity encode if value is part of the URL
299 |                 else {
300 |                   substitutionValue = encodeURI( encodeURIEntities(substitutionValue) );
301 | 
302 |                   // only allow the : when used after http or https otherwise reject
303 |                   // the entire url (will not allow any 'javascript:' or filter
304 |                   // evasion techniques)
305 |                   if (offset === 0 && substitutionValue.indexOf(':') !== -1) {
306 |                     let protocol = substitutionValue.substring(0, 5);
307 |                     if (protocol.indexOf('http') === -1) {
308 |                       isRejected = true;
309 |                     }
310 |                   }
311 |                 }
312 |               }
313 | 
314 |               // contextual auto-escaping:
315 |               // HTML encode attribute value if it is not a URL or URI to prevent
316 |               // DOM Level 0 event handlers from executing xss code
317 |               else if (typeof substitutionValue === 'string') {
318 |                 substitutionValue = encodeAttributeHTMLEntities(substitutionValue);
319 |               }
320 | 
321 |               return substitutionValue;
322 |             });
323 | 
324 |             if (isRejected) {
325 |               value = '#' + REJECTION_STRING;
326 |             }
327 |           }
328 | 
329 |           // add the attribute to the new tag or replace it on the current node
330 |           // setAttribute() does not need to be escaped to prevent XSS since it does
331 |           // all of that for us
332 |           // @see https://www.mediawiki.org/wiki/DOM-based_XSS
333 |           if (tag || hasSubstitution) {
334 |             let el = (tag || node);
335 | 
336 |             // optional attribute
337 |             if (name.substr(-1) === '?') {
338 |               el.removeAttribute(name);
339 | 
340 |               if (value === 'true') {
341 |                 name = name.slice(0, -1);
342 |                 el.setAttribute(name, '');
343 |               }
344 |             }
345 |             else {
346 |               el.setAttribute(name, value);
347 |             }
348 |           }
349 |         }
350 |       }
351 | 
352 |       // remove placeholder attributes outside of the attribute loop since it
353 |       // will modify the attributes NamedNodeMap indices.
354 |       // @see https://github.com/straker/html-tagged-template/issues/13
355 |       attributesToRemove.forEach(function(attribute) {
356 |         node.removeAttribute(attribute);
357 |       });
358 | 
359 |       // append the current node to a replaced parent
360 |       let parentNode;
361 |       if (node.parentNode && node.parentNode._replacedWith) {
362 |         parentNode = node.parentNode;
363 |         node.parentNode._replacedWith.appendChild(node);
364 |       }
365 | 
366 |       // remove the old node from the DOM
367 |       if ((node._replacedWith && node.childNodes.length === 0) ||
368 |           (parentNode && parentNode.childNodes.length === 0) ){
369 |         (parentNode || node).remove();
370 |       }
371 | 
372 | 
373 | 
374 | 
375 | 
376 |       // --------------------------------------------------
377 |       // text content substitution
378 |       // --------------------------------------------------
379 | 
380 |       if (node.nodeType === 3 && node.nodeValue.indexOf(SUBSTITUTION_INDEX) !== -1) {
381 |         let nodeValue = node.nodeValue.replace(SUBSTITUTION_REGEX, replaceSubstitution);
382 | 
383 |         // createTextNode() should not need to be escaped to prevent XSS?
384 |         let text = document.createTextNode(nodeValue);
385 | 
386 |         // since the parent node has already gone through the iterator, we can use
387 |         // replaceChild() here
388 |         node.parentNode.replaceChild(text, node);
389 |       }
390 |     }
391 | 
392 |     // return the documentFragment for multiple nodes
393 |     if (template.content.childNodes.length > 1) {
394 |       return template.content;
395 |     }
396 | 
397 |     return template.content.firstChild;
398 |   };
399 | }
400 | 
401 | })(window);
402 | 


--------------------------------------------------------------------------------
/karma.conf-ci.js:
--------------------------------------------------------------------------------
 1 | module.exports = function (config) {
 2 |   try {
 3 |     require('dotenv').config();
 4 |   } catch(e) {
 5 | 
 6 |   }
 7 | 
 8 |   if (!process.env.SAUCE_USERNAME || !process.env.SAUCE_ACCESS_KEY) {
 9 |     console.log('Make sure the SAUCE_USERNAME and SAUCE_ACCESS_KEY environment variables are set.')
10 |     process.exit(1)
11 |   }
12 | 
13 |   // Browsers to run on Sauce Labs
14 |   // Check out https://saucelabs.com/platforms for all browser/OS combos
15 |   var customLaunchers = {
16 |     OSX_Chrome: {
17 |       base: 'SauceLabs',
18 |       platform: 'OS X 10.11',
19 |       browserName: 'chrome',
20 |     },
21 |     OSX_Firefox: {
22 |       base: 'SauceLabs',
23 |       platform: 'OS X 10.11',
24 |       browserName: 'firefox'
25 |     },
26 |     Windows_Chrome: {
27 |       base: 'SauceLabs',
28 |       platform: 'Windows 10',
29 |       browserName: 'chrome',
30 |     },
31 |     Windows_Edge: {
32 |       base: 'SauceLabs',
33 |       platform: 'Windows 10',
34 |       browserName: 'MicrosoftEdge'
35 |     }
36 |   }
37 | 
38 |   config.set({
39 |     basePath: '',
40 |     frameworks: ['mocha', 'chai'],
41 |     files: [
42 |       'index.js',
43 |       'test/*.js'
44 |     ],
45 |     reporters: ['progress', 'saucelabs', 'coverage'],
46 |     preprocessors: {
47 |       'index.js': ['coverage']
48 |     },
49 |     coverageReporter: {
50 |       dir : 'coverage/',
51 |       reporters: [
52 |         {type: 'lcov', subdir: '.'},
53 |         {type: 'text-summary'}
54 |       ]
55 |     },
56 |     port: 9876,
57 |     colors: true,
58 |     logLevel: config.LOG_DEBUG,
59 |     sauceLabs: {
60 |       testName: 'http-tagged-template Test Suite',
61 |       recordScreenshots: false,
62 |       connectOptions: {
63 |         port: 5757,
64 |         logfile: 'sauce_connect.log'
65 |       },
66 |       public: 'public'
67 |     },
68 |     // Increase timeout in case connection in CI is slow
69 |     captureTimeout: 120000,
70 |     customLaunchers: customLaunchers,
71 |     browsers: Object.keys(customLaunchers),
72 |     singleRun: true
73 |   })
74 | }


--------------------------------------------------------------------------------
/karma.conf.js:
--------------------------------------------------------------------------------
 1 | // Karma configuration
 2 | module.exports = function(config) {
 3 |   config.set({
 4 |     basePath: '',
 5 |     frameworks: ['mocha', 'chai'],
 6 |     files: [
 7 |       'index.js',
 8 |       'test/*.js'
 9 |     ],
10 |     browsers: ['Chrome', 'Firefox', 'Safari'],
11 |     reporters: ['progress', 'coverage'],
12 |     preprocessors: {
13 |       'index.js': ['coverage']
14 |     },
15 |     coverageReporter: {
16 |       dir : 'coverage/',
17 |       reporters: [
18 |         {type: 'lcov', subdir: '.'},
19 |         {type: 'text-summary'}
20 |       ]
21 |     }
22 |   });
23 | };
24 | 


--------------------------------------------------------------------------------
/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "html-tagged-template",
 3 |   "description": "Proposal to improve the DOM creation API so developers have a cleaner, simpler interface to DOM creation and manipulation.",
 4 |   "version": "2.2.0",
 5 |   "main": "index.js",
 6 |   "scripts": {
 7 |     "test": "gulp test-ci"
 8 |   },
 9 |   "repository": {
10 |     "type": "git",
11 |     "url": "https://github.com/straker/html-tagged-template.git"
12 |   },
13 |   "keywords": [
14 |     "proposal",
15 |     "HTML",
16 |     "DOM",
17 |     "tagged",
18 |     "template",
19 |     "string"
20 |   ],
21 |   "author": "Steven Lambert <steven@sklambert.com> (http://sklambert.com/)",
22 |   "contributors": [
23 |     "Josh Crowther <jshcrowthe@gmail.com>"
24 |   ],
25 |   "license": "MIT",
26 |   "bugs": {
27 |     "url": "https://github.com/straker/html-tagged-template/issues"
28 |   },
29 |   "homepage": "https://github.com/straker/html-tagged-template",
30 |   "dependencies": {},
31 |   "devDependencies": {
32 |     "chai": "^3.5.0",
33 |     "coveralls": "^2.11.6",
34 |     "dotenv": "^2.0.0",
35 |     "gulp": "^3.9.1",
36 |     "gulp-connect": "^2.3.1",
37 |     "gulp-jshint": "^2.0.0",
38 |     "gulp-mocha": "^2.2.0",
39 |     "jshint": "^2.9.1",
40 |     "jshint-stylish": "^2.1.0",
41 |     "karma": "^0.13.21",
42 |     "karma-chai": "^0.1.0",
43 |     "karma-chrome-launcher": "^0.2.2",
44 |     "karma-coverage": "^0.5.3",
45 |     "karma-firefox-launcher": "^0.1.7",
46 |     "karma-ie-launcher": "^0.2.0",
47 |     "karma-mocha": "^0.2.1",
48 |     "karma-safari-launcher": "^0.1.1",
49 |     "karma-sauce-launcher": "^0.3.0",
50 |     "mocha": "^2.4.5"
51 |   }
52 | }
53 | 


--------------------------------------------------------------------------------
/page/index.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html>
 3 | <head>
 4 |   <title></title>
 5 |   <script src="../index.js"></script>
 6 | </head>
 7 | <body>
 8 | <script>
 9 | var min = 0, max = 99, disabled = true, heading = 1;
10 | 
11 | // single node
12 | document.body.appendChild(html`<input type="number" min="${min}" max="${max}" name="number" id="number" class="number-input" ${ (disabled ? 'disabled' : '') }/>`);
13 | 
14 | // single node with children
15 | document.body.appendChild(html`<div class="container"><div class="row"><div class="col"><h${heading}><span>Hi</span></h${heading}></div></div></div>`);
16 | 
17 | // sibling nodes
18 | document.body.appendChild(html`<tr><td><span>foo</span></td></tr><tr><td><span>bar</span></td></tr>`);
19 | </script>
20 | 
21 | <!-- xss attack -->
22 | <script src="xss.js"></script>
23 | 
24 | </body>
25 | </html>


--------------------------------------------------------------------------------
/page/xss.js:
--------------------------------------------------------------------------------
 1 | // @see https://developers.google.com/closure/templates/docs/security
 2 | var xss = "javascript:/*</style></script>/**/ /<script>1/(alert(1337))//</script>";
 3 | document.body.appendChild(html`<a href="${xss}"
 4 |    onclick="${xss}"
 5 |    >${xss}</a>
 6 |   <script>var x = '${xss}'</script>
 7 |   <style>
 8 |     p {
 9 |       font-family: "${xss}";
10 |       background: url(/images?q=${xss});
11 |       left: ${xss}
12 |     }
13 |   </style>`);


--------------------------------------------------------------------------------
/references.md:
--------------------------------------------------------------------------------
 1 | * don't run template through HTML parser - https://lists.w3.org/Archives/Public/www-dom/2011OctDec/0170.html
 2 | * should properly create nodes that don't have context (e.g. `<td>foo</td>`) - https://lists.w3.org/Archives/Public/public-script-coord/2013JanMar/0263.html
 3 | * safe inject with `<div {foo}>` or `<div></{foo}>` - https://lists.w3.org/Archives/Public/public-script-coord/2013JanMar/0268.html
 4 | * should be able to create tag names such as `<h{...}>` - https://lists.w3.org/Archives/Public/public-script-coord/2013JanMar/0276.html
 5 | * untrusted input gets added to DOM as text nodes (prevents XSS by making the XSS code benign) - https://lists.w3.org/Archives/Public/public-script-coord/2013JanMar/0207.html
 6 | * handle XSS via CSS, URIs, and scripts - https://lists.w3.org/Archives/Public/public-script-coord/2013JanMar/0269.html
 7 |     ```js
 8 |     var data = "javascript:doEvil()";
 9 |     `<a href="${data}">Hello, World!</a>`
10 | 
11 |     var data = "expression(doEvil())";
12 |     `<style>color: {data}</style>`
13 | 
14 |     `<style>var s = "{data}", re = /{data}/, x = {data};</style>`
15 |     ```
16 | * E4H goals - https://lists.w3.org/Archives/Public/public-script-coord/2013JanMar/0278.html
17 | * examples of XSS riddled code where auto-escaping could fail - https://lists.w3.org/Archives/Public/public-script-coord/2013JanMar/0286.html
18 | * add quotes around unquoted attributes? - https://lists.w3.org/Archives/Public/public-script-coord/2013JanMar/0289.html
19 | * set an attribute value with having to account for whether or not the passed value included " or ' or whitespace (in case it's unquoted) -https://github.com/whatwg/dom/issues/150#issuecomment-182251393
20 | * HTML parser corner cases that produce unexpected results - https://lists.w3.org/Archives/Public/public-script-coord/2013JanMar/0290.html
21 | * `<example example='${...}'>` what ever `${...}` expands to should stay withing the `example` attribute value and not create more attributes or DOM (XSS) - https://lists.w3.org/Archives/Public/public-script-coord/2013JanMar/0281.html
22 | * E4H is safe against element/attribute injection but not truly safe against all XSS, `<a href="{x}">...</a>` `${x}` is still vulnerable to javascript injection - https://lists.w3.org/Archives/Public/public-script-coord/2013JanMar/0283.html
23 | * auto-escape corner cases and problems - https://lists.w3.org/Archives/Public/public-script-coord/2013JanMar/0318.html
24 | * E4H implementation - https://lists.w3.org/Archives/Public/public-script-coord/2013JanMar/0297.html
25 | * an AST implementation (such as E4H) would have to recreate an HTML parser to fully understand how incomplete tags are handled and their output such that `<b>A <span style="color:blue">B</b> C</span>` outputs `<b>A <span style="color:blue">B</span></b><span style="color:blue"> C</span>` (this may have been true in 2008, but in 2016 chrome produces `<b>A <span style="color:blue">B</span></b> C` which again, means trying to mimic an HTML parsers output would be constantly changing and difficult) - http://google-caja.googlecode.com/svn-history/r528/changes/mikesamuel/string-interpolation-29-Jan-2008/trunk/src/NOT-FOR-TRUNK/interp/index.html
26 | * description of context-aware auto-escape - https://js-quasis-libraries-and-repl.googlecode.com/svn/trunk/safetemplate.html#security_under_maintenance
27 |     - https://developers.google.com/closure/templates/docs/security#in_urls
28 |     - https://googleonlinesecurity.blogspot.com/2009/03/reducing-xss-by-way-of-automatic.html


--------------------------------------------------------------------------------
/securitySpec.md:
--------------------------------------------------------------------------------
  1 | # Preventative XSS measures
  2 | 
  3 | ## XSS Prevention Rules Summary
  4 | 
  5 | | Data Type | Context | Code Sample | Defense |
  6 | | --------- | ------- | ----------- | ------- |
  7 | | String | HTML Body |  <pre lang="html">`<span>UNTRUSTED DATA</span>`</pre> | HTML Entity Encoding |
  8 | | String | Safe HTML Attributes | <pre lang="html">`<input type="text" name="fname" value="UNTRUSTED DATA">`</pre> | <ul><li>Aggressive HTML Entity Encoding</li><li>Only place untrusted data into a whitelist of safe attributes (listed below).</li><li>Strictly validate unsafe attributes such as background, id and name.</li></ul> |
  9 | | String | GET Parameter |  <pre lang="html">`<a href="/site/search?value=UNTRUSTED DATA">clickme</a>`</pre> | URL Encoding |
 10 | | String | Untrusted URL in a SRC or HREF attribute | <pre lang="html">`<a href="UNTRUSTED URL">clickme</a>`</pre><pre lang="html">`<iframe src="UNTRUSTED URL" />` | <ul><li>Canonicalize input</li><li>URL Validation</li><li>Safe URL verification</li><li>Whitelist http and https URL's only (Avoid the JavaScript Protocol to Open a new Window)</li><li>Attribute encoder</li></ul> |
 11 | | String | CSS Value | <pre lang="html">`<div style="width: UNTRUSTED DATA;">Selection</div>` | <ul><li>Strict structural validation</li><li>CSS Hex encoding</li><li>Good design of CSS Features |
 12 | | String | JavaScript Variable | <pre lang="html">`<script>var currentValue='UNTRUSTED DATA';</script>`</pre><pre lang="html">`<script>someFunction('UNTRUSTED DATA');</script>` | <ul><li>Ensure JavaScript variables are quoted</li><li>JavaScript Hex Encoding</li><li>JavaScript Unicode Encoding</li><li>Avoid backslash encoding (\" or \' or \\)</li></ul> |
 13 | | HTML | HTML Body | <pre lang="html">`<div>UNTRUSTED HTML</div>`</pre> | HTML Validation (JSoup, AntiSamy, HTML Sanitizer) |
 14 | | String | DOM XSS | <pre lang="html">`<script>document.write('UNTRUSTED INPUT');<script/>` | DOM based XSS Prevention Cheat Sheet |
 15 | 
 16 | ## Output Encoding Rules Summary
 17 | 
 18 | | Encoding Type | Encoding Mechanism |
 19 | | ------------- | ------------------ |
 20 | |HTML Entity Encoding | Convert & to `&amp;`<br>Convert < to `&lt;`<br>Convert > to `&gt;`<br>Convert " to `&quot;`<br>Convert ' to `&#x27;`<br>Convert / to `&#x2F;`<br> |
 21 | | HTML Attribute Encoding | Except for alphanumeric characters, escape all characters with the HTML Entity &#xHH; format, including spaces. (HH = Hex Value) |
 22 | | URL Encoding | Standard percent encoding, see: http://www.w3schools.com/tags/ref_urlencode.asp. URL encoding should only be used to encode parameter values, not the entire URL or path fragments of a URL.
 23 | | JavaScript Encoding | Except for alphanumeric characters, escape all characters with the \uXXXX unicode escaping format (X = Integer). |
 24 | | CSS Hex Encoding | CSS escaping supports \XX and \XXXXXX. Using a two character escape can cause problems if the next character continues the escape sequence. There are two solutions (a) Add a space after the CSS escape (will be ignored by the CSS parser) (b) use the full amount of CSS escaping possible by zero padding the value. |
 25 | 
 26 | [Filter Evasion Cheat Sheet](https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
 27 | 
 28 | ## As Attribute Value
 29 | 
 30 | ```js
 31 | html`<div class="${className}">Text</div>`;
 32 | ```
 33 | 
 34 | - if class is not quoted, need to quote className
 35 | - className cannot contain unescaped quotes (prevent XSS from creating new attributes)
 36 | - className cannot contain an equals sign (prevent XSS from creating new attributes)
 37 | - className cannot contain angle brackets (<>) (prevent XSS from creating new tags)
 38 | - className cannot contain JavaScript (prevent XSS from executing js)
 39 | - Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the &#xHH; format (or a named entity if available) to prevent switching out of the attribute.
 40 | 
 41 | ### References
 42 | 
 43 | 1. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.232_-_Attribute_Escape_Before_Inserting_Untrusted_Data_into_HTML_Common_Attributes
 44 | 
 45 | ## As Attribute Name
 46 | 
 47 | ```js
 48 | html`<div ${attr}="value">Text</div>`;
 49 | ```
 50 | 
 51 | - attr cannot contain whitespace (prevent XSS from creating new attributes)
 52 | - attr cannot contain unescaped quotes (prevent XSS from creating new attributes)
 53 | - attr cannot contain an equals sign (prevent XSS from creating new attributes)
 54 | - attr cannot contain angle brackets (<>) (prevent XSS from creating new tags)
 55 | - attr cannot contain JavaScript (prevent XSS from executing js)
 56 | - attr does not have to be a valid attribute name (any are valid, even without data-)
 57 | 
 58 | ## As Tag Name
 59 | 
 60 | ```js
 61 | html`<${tagName}>Text</${tagName}>`;
 62 | ```
 63 | 
 64 | - tagName cannot contain whitespace (prevent XSS from creating new attributes)
 65 | - tagName cannot contain unescaped quotes (prevent XSS from creating new attributes)
 66 | - tagName cannot contain an equals sign (prevent XSS from creating new attributes)
 67 | - tagName cannot contain angle brackets (<>) (prevent XSS from creating new tags)
 68 | - tagName cannot contain JavaScript (prevent XSS from executing js)
 69 | - tagName can contain : to define valid namespace (math, html, or svg), but none others
 70 | - tagName does not have to be a valid tag name (web components can define new ones)
 71 | 
 72 | ## As HTML Content
 73 | 
 74 | ```js
 75 | html`<div>${text}</div>`;
 76 | ```
 77 | 
 78 | - text cannot contain angle brackets (<>) (prevent XSS from creating new tags)
 79 | - text cannot contain JavaScript (prevent XSS from executing js)
 80 | - escape following entities:
 81 |   + & --> `&amp;`
 82 |   + < --> `&lt;`
 83 |   + > --> `&gt;`
 84 |   + " --> `&quot;`
 85 |   + ' --> `&#x27`
 86 |   + / --> `&#x2F`
 87 | - how would we allow valid HTML that is trusted?
 88 | 
 89 | ### References
 90 | 
 91 | 1. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
 92 | 
 93 | ## As JavaScript Content
 94 | 
 95 | ```js
 96 | html`<div onmouseover="x=${value}"></div>`;
 97 | html`<script>${code}</script>`;
 98 | ```
 99 | 
100 | - Except for alphanumeric characters, escape all characters less than 256 with the \xHH format to prevent switching out of the data value into the script context or into another attribute. DO NOT use any escaping shortcuts like \" because the quote character may be matched by the HTML attribute parser which runs first. These escaping shortcuts are also susceptible to "escape-the-escape" attacks where the attacker sends \" and the vulnerable code turns that into \\" which enables the quote.
101 | 
102 | ### References
103 | 
104 | 1. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.233_-_JavaScript_Escape_Before_Inserting_Untrusted_Data_into_JavaScript_Data_Values
105 | 
106 | ## As CSS Content
107 | 
108 | ```js
109 | html`<style>selector { property: ${value} }</style>`;
110 | ```
111 | 
112 | - Please note there are some CSS contexts that can never safely use untrusted data as input - EVEN IF PROPERLY CSS ESCAPED! You will have to ensure that URLs only start with "http" not "javascript" and that properties never start with "expression".
113 | - Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the \HH escaping format. DO NOT use any escaping shortcuts like \" because the quote character may be matched by the HTML attribute parser which runs first. These escaping shortcuts are also susceptible to "escape-the-escape" attacks where the attacker sends \" and the vulnerable code turns that into \\" which enables the quote.
114 | - If attribute is quoted, breaking out requires the corresponding quote. All attributes should be quoted but your encoding should be strong enough to prevent XSS when untrusted data is placed in unquoted contexts. Unquoted attributes can be broken out of with many characters including [space] % * + , - / ; < = > ^ and |. Also, the </style> tag will close the style block even though it is inside a quoted string because the HTML parser runs before the JavaScript parser. Please note that we recommend aggressive CSS encoding and validation to prevent XSS attacks for both quoted and unquoted attributes.
115 | 
116 | ### References
117 | 
118 | 1. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.234_-_CSS_Escape_And_Strictly_Validate_Before_Inserting_Untrusted_Data_into_HTML_Style_Property_Values
119 | 
120 | ## Mix
121 | 
122 | ```js
123 | html`<h${level} ${attr}=${value} ${var}>${text}</h${level}>`;
124 | ```
125 | 
126 | - ${attr}=${value} ${var} is difficult – was ${var} suppose to be part of ${attr} or it's own attribute?
127 |   - unless the attribute was quoted, any whitespace will be treated as a new attribute, so in the example above ${var} would be a new attribute
128 | 
129 | # References
130 | 
131 | 1. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
132 | 
133 | # Idea on how to combine E4H principles and contextual auto escaping
134 | 
135 | 1. replace all substitutions with placeholder values (their index in the array)
136 | 2. create DOM as normal using HTML parser (no chance for XSS since there is no user generated expression)
137 |   - will need to check for correct closing tags/attributes or something so the HTML parser doesn't freak out
138 | 3. with the DOM created, we can use setAttribute() for safely encoding attribute values (prevent attribution injection) and use contextual auto escaping to figure out the rest


--------------------------------------------------------------------------------
/test/htmlPaser.test.js:
--------------------------------------------------------------------------------
  1 | describe('HTML parser', function() {
  2 | 
  3 |   it('should return null for empty string', function() {
  4 |     var el = html``;
  5 | 
  6 |     expect(el).to.be.empty;
  7 |   });
  8 | 
  9 |   it('should create a text node', function() {
 10 |     var el = html`foobar`;
 11 | 
 12 |     // correct node
 13 |     expect(el.nodeType).to.equal(3);
 14 |     expect(el.nodeValue).to.equal('foobar');
 15 | 
 16 |     // no extraneous side-effects
 17 |     expect(el.parentElement).to.be.null;
 18 |   });
 19 | 
 20 |   it('should create a single node', function() {
 21 |     var el = html`<span></span>`;
 22 | 
 23 |     // correct node
 24 |     expect(el.nodeName).to.equal('SPAN');
 25 | 
 26 |     // no extraneous side-effects
 27 |     expect(el.attributes.length, 'more than 1 attribute').to.equal(0);
 28 |     expect(el.children.length, 'more than 1 child').to.equal(0);
 29 |     expect(el.parentElement).to.be.null;
 30 |     expect(el.textContent).to.be.empty;
 31 |   });
 32 | 
 33 |   it('should create a single node when no closing tag is provided', function() {
 34 |     var el = html`<span>`;
 35 | 
 36 |     // correct node
 37 |     expect(el.nodeName).to.equal('SPAN');
 38 | 
 39 |     // no extraneous side-effects
 40 |     expect(el.attributes.length, 'more than 1 attribute').to.equal(0);
 41 |     expect(el.children.length, 'more than 1 child').to.equal(0);
 42 |     expect(el.parentElement).to.be.null;
 43 |     expect(el.textContent).to.be.empty;
 44 |   });
 45 | 
 46 |   it('should create a single node with attributes', function() {
 47 |     var el = html`<input type="number" min="0" max="99" name="number" id="number" class="number-input" disabled />`;
 48 | 
 49 |     // correct node
 50 |     expect(el.nodeName).to.equal('INPUT');
 51 | 
 52 |     // correct attributes
 53 |     expect(el.attributes.length).to.equal(7);
 54 |     expect(el.type).to.equal('number');
 55 |     expect(el.min).to.equal('0');
 56 |     expect(el.max).to.equal('99');
 57 |     expect(el.name).to.equal('number');
 58 |     expect(el.id).to.equal('number');
 59 |     expect(el.className).to.equal('number-input');
 60 |     expect(el.disabled).to.equal(true);
 61 | 
 62 |     // no extraneous side-effects
 63 |     expect(el.children.length).to.equal(0);
 64 |     expect(el.parentElement).to.be.null;
 65 |     expect(el.textContent).to.be.empty;
 66 |   });
 67 | 
 68 |   it('should create a single node with children', function() {
 69 |     var el = html`<div class="container"><div class="row"><div class="col"><div>Hello</div></div></div></div>`;
 70 | 
 71 |     // correct container node
 72 |     expect(el.nodeName).to.equal('DIV');
 73 |     expect(el.attributes.length).to.equal(1);
 74 |     expect(el.className).to.equal('container');
 75 |     expect(el.children.length).to.equal(1);
 76 |     expect(el.parentElement).to.be.null;
 77 |     expect(el.textContent).to.equal('Hello');
 78 | 
 79 |     // correct row node
 80 |     var row = el.firstChild;
 81 |     expect(row.nodeName).to.equal('DIV');
 82 |     expect(row.attributes.length).to.equal(1);
 83 |     expect(row.className).to.equal('row');
 84 |     expect(row.children.length).to.equal(1);
 85 |     expect(row.parentElement).to.equal(el);
 86 |     expect(row.textContent).to.equal('Hello');
 87 | 
 88 |     // correct col node
 89 |     var col = row.firstChild;
 90 |     expect(col.nodeName).to.equal('DIV');
 91 |     expect(col.attributes.length).to.equal(1);
 92 |     expect(col.className).to.equal('col');
 93 |     expect(col.children.length).to.equal(1);
 94 |     expect(col.parentElement).to.equal(row);
 95 |     expect(col.textContent).to.equal('Hello');
 96 | 
 97 |     // correct leaf node
 98 |     var leaf = col.firstChild;
 99 |     expect(leaf.nodeName).to.equal('DIV');
100 |     expect(leaf.attributes.length).to.equal(0);
101 |     expect(leaf.children.length).to.equal(0);
102 |     expect(leaf.parentElement).to.equal(col);
103 |     expect(leaf.textContent).to.equal('Hello');
104 |   });
105 | 
106 |   it('should create sibling nodes', function() {
107 |     var nodes = html`<tr></tr><tr></tr>`;
108 | 
109 |     // correct node
110 |     expect(nodes).to.be.instanceof(DocumentFragment);
111 |     expect(nodes.childNodes.length).to.equal(2);
112 | 
113 |     // correct first child
114 |     var tr = nodes.querySelectorAll('tr')[0];
115 |     expect(tr.nodeName).to.equal('TR');
116 |     expect(tr.attributes.length, 'more than 1 attribute').to.equal(0);
117 |     expect(tr.children.length, 'more than 1 child').to.equal(0);
118 |     expect(tr.parentElement).to.be.null;
119 |     expect(tr.textContent).to.be.empty;
120 | 
121 |     // correct second child
122 |     var tr2 = nodes.querySelectorAll('tr')[1];
123 |     expect(tr2.nodeName).to.equal('TR');
124 |     expect(tr2.attributes.length, 'more than 1 attribute').to.equal(0);
125 |     expect(tr2.children.length, 'more than 1 child').to.equal(0);
126 |     expect(tr2.parentElement).to.be.null;
127 |     expect(tr2.textContent).to.be.empty;
128 |   });
129 | 
130 |   it('should execute a script tag', function() {
131 |     var el = html`<script>foo = "bar";</script>`;
132 |     document.body.appendChild(el);
133 | 
134 |     // correct node
135 |     expect(el.nodeName).to.equal('SCRIPT');
136 |     expect(el.attributes.length).to.equal(0);
137 |     expect(el.children.length).to.equal(0);
138 |     expect(el.textContent).to.equal('foo = "bar";');
139 | 
140 |     // script was executed
141 |     expect(foo).to.equal('bar');
142 |   });
143 | });


--------------------------------------------------------------------------------
/test/substitution.test.js:
--------------------------------------------------------------------------------
  1 | describe('Substitution expressions', function() {
  2 |   var min = 0, max = 99, disabled = true, heading = 1, tag = 'span';
  3 | 
  4 |   it('should create a text node from a variable', function() {
  5 |     var el = html`${tag}`;
  6 | 
  7 |     // correct node
  8 |     expect(el.nodeType).to.equal(3);
  9 |     expect(el.nodeValue).to.equal('span');
 10 | 
 11 |     // no extraneous side-effects
 12 |     expect(el.parentElement).to.be.null;
 13 |   });
 14 | 
 15 |   it('should create a node from a variable', function() {
 16 |     var el = html`<${tag}></${tag}>`;
 17 | 
 18 |     // correct node
 19 |     expect(el.nodeName).to.equal('SPAN');
 20 | 
 21 |     // no extraneous side-effects
 22 |     expect(el.attributes.length, 'more than 1 attribute').to.equal(0);
 23 |     expect(el.children.length, 'more than 1 child').to.equal(0);
 24 |     expect(el.parentElement).to.be.null;
 25 |     expect(el.textContent).to.be.empty;
 26 |   });
 27 | 
 28 |   it('should add attribute names or values from variables', function() {
 29 |     var el = html`<input type="number" min="${min}" name="number" id="number" class="number-input" max="${max}" ${ (disabled ? 'disabled' : '') }/>`;
 30 | 
 31 |     // correct node
 32 |     expect(el.nodeName).to.equal('INPUT');
 33 | 
 34 |     // correct attributes
 35 |     expect(el.attributes.length).to.equal(7);
 36 |     expect(el.type).to.equal('number');
 37 |     expect(el.min).to.equal('0');
 38 |     expect(el.name).to.equal('number');
 39 |     expect(el.id).to.equal('number');
 40 |     expect(el.className).to.equal('number-input');
 41 |     expect(el.disabled).to.equal(true);
 42 | 
 43 |     // no extraneous side-effects
 44 |     expect(el.children.length).to.equal(0);
 45 |     expect(el.parentElement).to.be.null;
 46 |     expect(el.textContent).to.be.empty;
 47 |   });
 48 | 
 49 |   it('should skip empty attributes', function() {
 50 |     var emptyDisabled = false;
 51 |     var el = html`<input type="number" min="${min}" name="number" id="number" class="number-input" max="${max}" ${ (emptyDisabled ? 'disabled' : '') }/>`;
 52 | 
 53 |     // correct node
 54 |     expect(el.nodeName).to.equal('INPUT');
 55 | 
 56 |     // correct attributes
 57 |     expect(el.attributes.length).to.equal(6);
 58 |     expect(el.type).to.equal('number');
 59 |     expect(el.min).to.equal('0');
 60 |     expect(el.name).to.equal('number');
 61 |     expect(el.id).to.equal('number');
 62 |     expect(el.className).to.equal('number-input');
 63 |     expect(el.disabled).to.equal(false);
 64 | 
 65 |     // no extraneous side-effects
 66 |     expect(el.children.length).to.equal(0);
 67 |     expect(el.parentElement).to.be.null;
 68 |     expect(el.textContent).to.be.empty;
 69 |   });
 70 | 
 71 |   it('should skip non-valid attribute substituted names', function() {
 72 |     var nonValidAttrName = [];
 73 |     var el = html`<div ${nonValidAttrName}="hello"/>`;
 74 | 
 75 |     // correct node
 76 |     expect(el.nodeName).to.equal('DIV');
 77 | 
 78 |     // correct attributes
 79 |     expect(el.attributes.length).to.equal(0);
 80 | 
 81 |     // no extraneous side-effects
 82 |     expect(el.children.length).to.equal(0);
 83 |     expect(el.parentElement).to.be.null;
 84 |     expect(el.textContent).to.be.empty;
 85 |   });
 86 | 
 87 |   it('should move any children from a substituted node to the new node', function() {
 88 |     var el = html`<h${heading}><span>Hello</span></h${heading}>`;
 89 | 
 90 |     // correct heading node
 91 |     expect(el.nodeName).to.equal('H1');
 92 |     expect(el.attributes.length).to.equal(0);
 93 |     expect(el.children.length).to.equal(1);
 94 |     expect(el.parentElement).to.be.null;
 95 |     expect(el.textContent).to.equal('Hello');
 96 | 
 97 |     // correct span node
 98 |     var span = el.firstChild;
 99 |     expect(span.nodeName).to.equal('SPAN');
100 |     expect(span.attributes.length, 'more than 1 attribute').to.equal(0);
101 |     expect(span.children.length, 'more than 1 child').to.equal(0);
102 |     expect(span.parentElement).to.equal(el);
103 |     expect(span.textContent).to.equal('Hello');
104 |   });
105 | 
106 |   it('should substitute in script tags', function() {
107 |     var el = html`<script>x = ${max}</script>`;
108 | 
109 |     // correct script node
110 |     expect(el.nodeName).to.equal('SCRIPT');
111 |     expect(el.attributes.length).to.equal(0);
112 |     expect(el.children.length).to.equal(0);
113 |     expect(el.parentElement).to.be.null;
114 |     expect(el.textContent).to.equal('x = 99');
115 |   });
116 | 
117 |   it('should allow optional attributes', function() {
118 |     var el = html`<button disabled?=${disabled}>Click</button>`;
119 | 
120 |     expect(el.hasAttribute('disabled')).to.be.true;
121 |     expect(el.getAttribute('disabled')).to.equal('');
122 | 
123 |     var notDisabled = false;
124 |     el = html`<button disabled?=${notDisabled}>Click</button>`;
125 | 
126 |     expect(el.hasAttribute('disabled')).to.be.false;
127 |   });
128 | });


--------------------------------------------------------------------------------
/test/xss.test.js:
--------------------------------------------------------------------------------
  1 | var counter = 0;
  2 | 
  3 | describe('XSS Attack Vectors', function() {
  4 |   // Modified XSS String
  5 |   // (Source: https://developers.google.com/closure/templates/docs/security#example)
  6 |   var xss = "javascript:/*</style></script>/**/ /<script>1/(assert(false))//</script>";
  7 | 
  8 |   afterEach(function() {
  9 |     counter++;
 10 |   });
 11 | 
 12 |   it('should prevent injection to element innerHTML', function() {
 13 |     var el = html`<p>${xss}</p>`;
 14 |     document.body.appendChild(el);
 15 |   });
 16 | 
 17 |   it('should prevent injection to non-quoted element attributes', function() {
 18 |     var el = html`<div data-xss=${xss}></div>`;
 19 |     document.body.appendChild(el);
 20 |   });
 21 | 
 22 |   it('should prevent injection to single quoted element attributes', function() {
 23 |     var el = html`<div data-xss='${xss}'></div>`;
 24 |     document.body.appendChild(el);
 25 |   });
 26 | 
 27 |   it('should prevent injection to double quoted element attributes', function() {
 28 |     var el = html`<div data-xss="${xss}"></div>`;
 29 |     document.body.appendChild(el);
 30 |   });
 31 | 
 32 |   it('should prevent injection as a javascript quoted string', function() {
 33 |      var el = html`<script>alert('${xss}')</script>`;
 34 |      document.body.appendChild(el);
 35 |   });
 36 | 
 37 |   it('should prevent injection on one side of a javascript quoted expression', function() {
 38 |     var el = html`<script>x='${xss}'</script>`;
 39 |     document.body.appendChild(el);
 40 |   });
 41 | 
 42 |   it('should prevent injection into inlined quoted event handler', function() {
 43 |     var el = html`<a href='#' onclick="x='${xss}'">XSS &lt;p&gt; tag</a>`;
 44 |     document.body.appendChild(el);
 45 |     el.click();
 46 |   });
 47 | 
 48 |   it('should prevent injection into quoted event handler', function() {
 49 |     var el = html`<a href='#' onclick="${xss}">XSS &lt;p&gt; tag</a>`;
 50 |     document.body.appendChild(el);
 51 |     el.click();
 52 |   });
 53 | 
 54 |   it('should prevent injection into CSS unquote property', function() {
 55 |     var el = html`<style>html { background: ${xss}; }</style>`;
 56 |     document.body.appendChild(el);
 57 |   });
 58 | 
 59 |   it('should prevent injection into CSS quoted property', function() {
 60 |     var el = html`<style>html { background: "${xss}"; }</style>`;
 61 |     document.body.appendChild(el);
 62 |   });
 63 | 
 64 |   it('should prevent injection into CSS property of HTML style attribute', function() {
 65 |     var el = html`<div style="background: ${xss}"></div>`;
 66 |     document.body.appendChild(el);
 67 |   });
 68 | 
 69 |   it('should prevent injection into query params of HTML urls', function() {
 70 |     var el = html`<p><a target='_blank' href="http://www.google.com?test=${xss}">XSS'ed Link</a></p>`;
 71 |     document.body.appendChild(el);
 72 |     el.click();
 73 |   });
 74 | 
 75 |   it('should prevent injection into HREF attribute of <a> tag', function() {
 76 |     var el = html`<a href="${xss}">XSS'ed Link</a>`;
 77 |     document.body.appendChild(el);
 78 |     el.click();
 79 |   });
 80 | 
 81 |   it('should prevent against clobbering of /attributes/', function() {
 82 |     var el = html`<form id="f" action="${xss}" onsubmit="return false;">
 83 |       <input type="radio" name="attributes"//>
 84 |       <input type="submit" />
 85 |     </form>`;
 86 |    document.body.appendChild(el);
 87 | 
 88 |    // el.submit() does not trigger a submit event, so we need to click the submit button
 89 |    // @see http://stackoverflow.com/questions/11557994/jquery-submit-vs-javascript-submit
 90 |    el.querySelector('input[type="submit"]').click();
 91 |   });
 92 | 
 93 |   it('should prevent injection out of a tag name by throwing an error', function() {
 94 |     var func = function() {
 95 |       var el = html`<h${xss}></h${xss}>`;
 96 |       document.body.appendChild(el);
 97 |     };
 98 | 
 99 |     expect(func).to.throw;
100 |   });
101 | 
102 |   it('should prevent xss protocol URLs by rejecting them', function() {
103 |     var el = html`<a href="${xss}"></a>`;
104 |     document.body.appendChild(el);
105 |     el.click();
106 | 
107 |     expect(el.getAttribute('href')[0]).to.equal('#');
108 |   });
109 | 
110 |   it('should not prevent javascript protocol if it was a safe string', function() {
111 |     var value = 'foo/bar&baz/boo';
112 |     var el = html`<a href="javascript:void(0);">`;
113 | 
114 |     expect(el.getAttribute('href')).to.equal('javascript:void(0);');
115 |   });
116 | 
117 |   it('should prevent injection into uri custom attributes', function() {
118 |     var el = html`<a href="#" data-uri="${xss}">`
119 |     document.body.appendChild(el);
120 |     el.href = el.getAttribute('data-uri');
121 |     el.click();
122 |   });
123 | 
124 |   it('should entity escape URLs', function() {
125 |     var value = 'foo/bar&baz/boo';
126 |     var el = html`<a href="${value}">`;
127 | 
128 |     expect(el.getAttribute('href')).to.equal('foo/bar&amp;baz/boo');
129 |   });
130 | 
131 |   it('should percent encode inside URL query', function() {
132 |     var value = 'bar&baz=boo';
133 |     var el = html`<a href="foo?q=${value}">`;
134 | 
135 |     expect(el.getAttribute('href')).to.equal('foo?q=bar%26baz%3Dboo');
136 |   });
137 | 
138 |   it('should percent encode inside URL query and entity escape if not', function() {
139 |     var value = 'bar&baz=boo';
140 |     var el = html`<a href="foo/${value}/bar?q=${value}">`;
141 | 
142 |     expect(el.getAttribute('href')).to.equal('foo/bar&amp;baz=boo/bar?q=bar%26baz%3Dboo');
143 |   });
144 | 
145 |   it('should reject a URL outright if it has the wrong protocol', function() {
146 |     var protocol = 'javascript:alert(1337)';
147 |     var value = '/foo&bar/bar';
148 |     var el = html`<a href="${protocol}/bar${value}">`;
149 | 
150 |     expect(el.getAttribute('href')[0]).to.equal('#');
151 |     expect(el.getAttribute('href').indexOf('/bar')).to.equal(-1);
152 |   });
153 | 
154 |   it('should allow a URL if it has a safe protocol', function() {
155 |     var protocol = 'http://localhost:500';
156 |     var value = '/foo?id=true';
157 |     var el = html`<a href="${protocol}/bar${value}">`;
158 | 
159 |     expect(el.getAttribute('href')).to.equal('http://localhost:500/bar/foo?id=true');
160 | 
161 |     var protocol = 'https://localhost:500';
162 |     var el = html`<a href="${protocol}/bar${value}">`;
163 | 
164 |     expect(el.getAttribute('href')).to.equal('https://localhost:500/bar/foo?id=true');
165 |   });
166 | 
167 | });
168 | 


--------------------------------------------------------------------------------