From b47f6ae905519b8919527cba49ebd409f479090d Mon Sep 17 00:00:00 2001 From: Chad Weider Date: Fri, 11 May 2012 18:16:20 -0700 Subject: [PATCH] Use packaged edition of security module. --- src/node/utils/Minify.js | 4 +++- src/node/utils/tar.json | 1 + src/package.json | 1 + src/static/js/security.js | 39 +-------------------------------------- 4 files changed, 6 insertions(+), 39 deletions(-) diff --git a/src/node/utils/Minify.js b/src/node/utils/Minify.js index 52aece14..a08535ce 100644 --- a/src/node/utils/Minify.js +++ b/src/node/utils/Minify.js @@ -36,7 +36,9 @@ var TAR_PATH = path.join(__dirname, 'tar.json'); var tar = JSON.parse(fs.readFileSync(TAR_PATH, 'utf8')); -var LIBRARY_WHITELIST = []; +var LIBRARY_WHITELIST = [ + 'security' + ]; // Rewrite tar to include modules with no extensions and proper rooted paths. var LIBRARY_PREFIX = 'ep_etherpad-lite/static/js'; diff --git a/src/node/utils/tar.json b/src/node/utils/tar.json index 15ce68e2..6bdece1b 100644 --- a/src/node/utils/tar.json +++ b/src/node/utils/tar.json @@ -60,6 +60,7 @@ , "rjquery.js" , "underscore.js" , "security.js" + , "$security.js" , "json2.js" , "pluginfw/plugins.js" , "pluginfw/hooks.js" diff --git a/src/package.json b/src/package.json index 52a5d840..03f7f196 100644 --- a/src/package.json +++ b/src/package.json @@ -30,6 +30,7 @@ "graceful-fs" : "1.1.5", "slide" : "1.1.3", "semver" : "1.0.13", + "security" : "1.0.0", "underscore" : "1.3.1" }, "bin": { "etherpad-lite": "./node/server.js" }, diff --git a/src/static/js/security.js b/src/static/js/security.js index 6f42d051..9c9fff37 100644 --- a/src/static/js/security.js +++ b/src/static/js/security.js @@ -14,41 +14,4 @@ * limitations under the License. */ -var HTML_ENTITY_MAP = { - '&': '&' -, '<': '<' -, '>': '>' -, '"': '"' -, "'": ''' -, '/': '/' -}; - -// OSWASP Guidlines: &, <, >, ", ' plus forward slash. -var HTML_CHARACTERS_EXPRESSION = /[&"'<>\/]/g; -function escapeHTML(text) { - return text && text.replace(HTML_CHARACTERS_EXPRESSION, function (c) { - return HTML_ENTITY_MAP[c] || c; - }); -} - -// OSWASP Guidlines: escape all non alphanumeric characters in ASCII space. -var HTML_ATTRIBUTE_CHARACTERS_EXPRESSION = - /[\x00-\x2F\x3A-\x40\5B-\x60\x7B-\xFF]/g; -function escapeHTMLAttribute(text) { - return text && text.replace(HTML_ATTRIBUTE_CHARACTERS_EXPRESSION, function (c) { - return "&#x" + ('00' + c.charCodeAt(0).toString(16)).slice(-2) + ";"; - }); -}; - -// OSWASP Guidlines: escape all non alphanumeric characters in ASCII space. -var JAVASCRIPT_CHARACTERS_EXPRESSION = - /[\x00-\x2F\x3A-\x40\5B-\x60\x7B-\xFF]/g; -function escapeJavaScriptData(text) { - return text && text.replace(JAVASCRIPT_CHARACTERS_EXPRESSION, function (c) { - return "\\x" + ('00' + c.charCodeAt(0).toString(16)).slice(-2); - }); -} - -exports.escapeHTML = escapeHTML; -exports.escapeHTMLAttribute = escapeHTMLAttribute; -exports.escapeJavaScriptData = escapeJavaScriptData; +module.exports = require('security');