Use packaged edition of security module.

src/node/utils/Minify.js

@@ -36,7 +36,9 @@ var TAR_PATH = path.join(__dirname, 'tar.json');
 var tar = JSON.parse(fs.readFileSync(TAR_PATH, 'utf8'));
 
 
-var LIBRARY_WHITELIST = [];
+var LIBRARY_WHITELIST = [
+      'security'
+    ];
 
 // Rewrite tar to include modules with no extensions and proper rooted paths.
 var LIBRARY_PREFIX = 'ep_etherpad-lite/static/js';

src/node/utils/tar.json

@@ -60,6 +60,7 @@
   , "rjquery.js"
   , "underscore.js"
   , "security.js"
+  , "$security.js"
   , "json2.js"
   , "pluginfw/plugins.js"
   , "pluginfw/hooks.js"

src/package.json

@@ -30,6 +30,7 @@
                       "graceful-fs"         : "1.1.5",
                       "slide"               : "1.1.3",
                       "semver"              : "1.0.13",
+                      "security"            : "1.0.0",
                       "underscore"          : "1.3.1"
                      },
   "bin":             { "etherpad-lite": "./node/server.js" },

src/static/js/security.js

@@ -14,41 +14,4 @@
  * limitations under the License.
  */
 
-var HTML_ENTITY_MAP = {
+module.exports = require('security');
-  '&': '&'
-, '<': '&lt;'
-, '>': '&gt;'
-, '"': '&quot;'
-, "'": '&#x27;'
-, '/': '&#x2F;'
-};
-
-// OSWASP Guidlines: &, <, >, ", ' plus forward slash.
-var HTML_CHARACTERS_EXPRESSION = /[&"'<>\/]/g;
-function escapeHTML(text) {
-  return text && text.replace(HTML_CHARACTERS_EXPRESSION, function (c) {
-    return HTML_ENTITY_MAP[c] || c;
-  });
-}
-
-// OSWASP Guidlines: escape all non alphanumeric characters in ASCII space.
-var HTML_ATTRIBUTE_CHARACTERS_EXPRESSION =
-    /[\x00-\x2F\x3A-\x40\5B-\x60\x7B-\xFF]/g;
-function escapeHTMLAttribute(text) {
-  return text && text.replace(HTML_ATTRIBUTE_CHARACTERS_EXPRESSION, function (c) {
-    return "&#x" + ('00' + c.charCodeAt(0).toString(16)).slice(-2) + ";";
-  });
-};
-
-// OSWASP Guidlines: escape all non alphanumeric characters in ASCII space.
-var JAVASCRIPT_CHARACTERS_EXPRESSION =
-    /[\x00-\x2F\x3A-\x40\5B-\x60\x7B-\xFF]/g;
-function escapeJavaScriptData(text) {
-  return text && text.replace(JAVASCRIPT_CHARACTERS_EXPRESSION, function (c) {
-    return "\\x" + ('00' + c.charCodeAt(0).toString(16)).slice(-2);
-  });
-}
-
-exports.escapeHTML = escapeHTML;
-exports.escapeHTMLAttribute = escapeHTMLAttribute;
-exports.escapeJavaScriptData = escapeJavaScriptData;