Merge pull request #3 from yahoo/use-xss-filters-v1.2.0

release v1.0.7

Author: neraliu

.travis.yml

@@ -1,4 +1,24 @@
 language: node_js
 node_js:
+- '0.12'
 - '0.11'
 - '0.10'
+notifications:
+  email:
+    recipients:
+    - neraliu@yahoo-inc.com
+    - adon@yahoo-inc.com
+  on_success: change
+  on_failure: always
+after_success:
+- test $(cat $TRAVIS_BUILD_DIR/package.json | grep version | awk '{print $2}' | sed
+  's/"//g' | sed 's/,//g' | awk '{print "v"$1}' ) = $TRAVIS_TAG && export VALID_VERSION=true
+deploy:
+  provider: npm
+  email: neraliu@yahoo-inc.com
+  api_key:
+    secure: LlhF8dO3Plt023CjeQRumw9ZgBNsE2KWanHrRY/SnMoFxWgcVYEbzX3Ze5CtoRvtm8CH+3z71L11BaL52GN0qm+0zX93h4JXTYETloEzX2pdJpiBXATzEKcscLC5bfsarh2I/UlkSPQP2b+mkAi3RJu/rjF4CBjbpwka90aF1k0=
+  on:
+    condition: $VALID_VERSION = true
+    tags: true
+    branch: master

README.md

@@ -1,16 +1,11 @@
 secure-handlebars-helpers
 =========================
-This handy *client-side* script registers the required secure XSS output filters as handlebars' helpers, and is designed ONLY for  
-- templates processed with context-sensitive filters automatically inserted (e.g., `<title>{{{yd title}}}</title>`) using [context-parser-handlebars](https://www.npmjs.com/package/context-parser-handlebars).
-
 [![npm version][npm-badge]][npm]
 [![dependency status][dep-badge]][dep-status]
+[![Build Status](https://travis-ci.org/yahoo/secure-handlebars-helpers.svg?branch=master)](https://travis-ci.org/yahoo/secure-handlebars-helpers)
+
+This handy *client-side* script registers the required [XSS output filtering functions](https://www.npmjs.com/package/xss-filters) as handlebars' helpers, and is designed ONLY for templates that already have the context-sensitive filter markup (e.g., `<title>{{{yd title}}}</title>`) automatically inserted using [secure-handlebars](https://www.npmjs.com/package/secure-handlebars).
 
-[npm]: https://www.npmjs.org/package/secure-handlebars-helpers
-[npm-badge]: https://img.shields.io/npm/v/secure-handlebars-helpers.svg?style=flat-square
-[dep-status]: https://david-dm.org/yahoo/secure-handlebars-helpers
-[dep-badge]: https://img.shields.io/david/yahoo/secure-handlebars-helpers.svg?style=flat-square
-                
 ## Quick Start
 
 ### Client-side (browser)
@@ -35,9 +30,13 @@ To contribute, you will make changes in [`src/`](./src) and [`tests/`](./tests),
 - ```$ npm run-script build``` to build the standalone JavaScript for client-side use
 - ```$ npm test``` to run the tests
 
-### Build
-[![Build Status](https://travis-ci.org/yahoo/secure-handlebars-helpers.svg?branch=master)](https://travis-ci.org/yahoo/secure-handlebars-helpers)
-
 ## License
 This software is free to use under the Yahoo BSD license. 
 See the [LICENSE file](./LICENSE) for license text and copyright information.
+
+
+
+[npm]: https://www.npmjs.org/package/secure-handlebars-helpers
+[npm-badge]: https://img.shields.io/npm/v/secure-handlebars-helpers.svg?style=flat-square
+[dep-status]: https://david-dm.org/yahoo/secure-handlebars-helpers
+[dep-badge]: https://img.shields.io/david/yahoo/secure-handlebars-helpers.svg?style=flat-square

bower.json

@@ -1,6 +1,6 @@
 {
   "name": "secure-handlebars-helpers",
-  "version": "1.0.6",
+  "version": "1.0.7",
   "main": "dist/secure-handlebars-helpers.min.js",
   "authors": [
     "adon <adon@yahoo-inc.com>"

dist/secure-handlebars-helpers.js

@@ -1,7 +1,7 @@
 {
   "name": "secure-handlebars-helpers",
   "description": "Client-side XSS filters for templates processed by context-parser-handlebars",
-  "version": "1.0.6",
+  "version": "1.0.7",
   "licenses": [
     {
       "type": "BSD",
@@ -42,7 +42,7 @@
     "test": "grunt test"
   },
   "dependencies": {
-    "xss-filters": "^1.0.6"
+    "xss-filters": "^1.2.0"
   },
   "devDependencies": {
     "grunt": "^0.4.5",

dist/secure-handlebars-helpers.min.1.0.7.js

@@ -11,11 +11,26 @@ Authors: Nera Liu <neraliu@yahoo-inc.com>
 /* global Handlebars, privFilters */
 
 (function(Handlebars, filterNames, i, name){
-    if (!Handlebars || !Handlebars.registerHelper) {
+
+    if (!Handlebars || !Handlebars.registerHelper || !Handlebars.Utils.escapeExpression) {
         throw new ReferenceError('Handlebars is not defined');
     }
+
+    Handlebars.registerHelper('y', Handlebars.Utils.escapeExpression);
+
+    // don't escape SafeStrings, since they're already safe according to Handlebars
+    // Reference: https://github.com/wycats/handlebars.js/blob/master/lib/handlebars/utils.js#L63-L82
+    function safeStringCompatibleFilter (filterName) {
+        return function (s) {
+            // Unlike escapeExpression(), return s instead of s.toHTML() since downstream
+            //  filters of the same chain has to be disabled too.
+            //  Handlebars will invoke SafeString.toString() at last during data binding
+            return (s && s.toHTML) ? s : privFilters[filterName](s);
+        };
+    }
+
     // expect privFilters are available
     for (; (name = filterNames[i]); i++) {
-    	Handlebars.registerHelper(name, privFilters[name]);
+    	Handlebars.registerHelper(name, safeStringCompatibleFilter(name));
     }
-})(Handlebars, ['y','yd','yc','yavd','yavs','yavu','yu','yuc','yubl','yufull'], 0);
+})(Handlebars, ['yd', 'yc', 'yavd', 'yavs', 'yavu', 'yu', 'yuc', 'yubl', 'yufull', 'yceu', 'yced', 'yces', 'yceuu', 'yceud', 'yceus'], 0);

dist/secure-handlebars-helpers.min.js

@@ -15,7 +15,9 @@ var filterNames = [
 	'yd', 'yc', 
 	'yavd', 'yavs', 'yavu',
 	'yu', 'yuc',
-	'yubl', 'yufull'
+	'yubl', 'yufull',
+    'yceu', 'yced', 'yces', 
+    'yceuu', 'yceud', 'yceus'
 ];
 
 console.log('Integration test with Handlebars v' + Handlebars.VERSION);
@@ -54,12 +56,42 @@ describe("secure handlebars helpers: error tests", function() {
         // yubl will not be independently used
         // expect(filter.yubl()).to.eql('undefined');
 
+        expect(filter.yceu()).to.eql('undefined');
+        expect(filter.yced()).to.eql('undefined');
+        expect(filter.yces()).to.eql('undefined');
+        expect(filter.yceuu()).to.eql('undefined');
+        expect(filter.yceud()).to.eql('undefined');
+        expect(filter.yceus()).to.eql('undefined');
 
-    	expect(filter.y()).to.eql('undefined');
+    	expect(filter.y()).to.eql('');
     });
 
-});
+    it('filters handling of null input', function() {
+        
+        expect(filter.yd(null)).to.eql('null');
+        expect(filter.yc(null)).to.eql('null');
+        
+        expect(filter.yavd(null)).to.eql('null');
+        expect(filter.yavs(null)).to.eql('null');
+        expect(filter.yavu(null)).to.eql('null');
+        
+        expect(filter.yu(null)).to.eql('null');
+        expect(filter.yuc(null)).to.eql('null');
+        expect(filter.yufull(null)).to.eql('null');
+        // yubl will not be independently used
+        // expect(filter.yubl()).to.eql('null');
+
+        expect(filter.yceu(null)).to.eql('null');
+        expect(filter.yced(null)).to.eql('null');
+        expect(filter.yces(null)).to.eql('null');
+        expect(filter.yceuu(null)).to.eql('null');
+        expect(filter.yceud(null)).to.eql('null');
+        expect(filter.yceus(null)).to.eql('null');
 
+        expect(filter.y(null)).to.eql('');
+    });
+
+});
 
 /* the functional test is tested against in the contextparse-filters */
 describe("secure handlebars helpers: compilation tests", function() {
@@ -108,6 +140,47 @@ describe("secure handlebars helpers: compilation tests", function() {
         expect(output).to.eql('<div id="divid"></div>');
     });
 
+
+    it('filter yceu test', function() {
+        var html = '<div style="background: {{{yceu value}}}"></div>';
+        var json = {value: "red"};
+        var output = compilation_test(html, json);
+        expect(output).to.eql('<div style="background: red"></div>');
+    });
+    it('filter yced test', function() {
+        var html = '<div style="background: &quot;{{{yced value}}}&quot;"></div>';
+        var json = {value: "red"};
+        var output = compilation_test(html, json);
+        expect(output).to.eql('<div style="background: &quot;red&quot;"></div>');
+    });
+    it('filter yces test', function() {
+        var html = '<div style="background: \'{{{yces value}}}\'"></div>';
+        var json = {value: "red"};
+        var output = compilation_test(html, json);
+        expect(output).to.eql('<div style="background: \'red\'"></div>');
+    });
+
+
+    it('filter yceuu test', function() {
+        var html = '<div style="background: url({{{yceuu value}}})"></div>';
+        var json = {value: "javascript:alert(1)"};
+        var output = compilation_test(html, json);
+        expect(output).to.eql('<div style="background: url(##javascript:alert\\28 1\\29 )"></div>');
+    });
+    it('filter yceud test', function() {
+        var html = '<div style="background: url(&quot;{{{yceud value}}}&quot;)"></div>';
+        var json = {value: "javascript:alert(1)"};
+        var output = compilation_test(html, json);
+        expect(output).to.eql('<div style="background: url(&quot;##javascript:alert(1)&quot;)"></div>');
+    });
+    it('filter yceus test', function() {
+        var html = '<div style="background: url(\'{{{yceus value}}}\')"></div>';
+        var json = {value: "javascript:alert(1)"};
+        var output = compilation_test(html, json);
+        expect(output).to.eql('<div style="background: url(\'##javascript:alert(1)\')"></div>');
+    });
+
+
     it('chained filter - yubl yavd yufull test', function() {
     	var html = '<a href="{{{yubl (yavd (yufull url))}}}">link</a>';
         var json = {url: "javascript :alert(0);"};
@@ -175,7 +248,7 @@ describe("secure handlebars helpers: compilation tests", function() {
         var html = '<script>{{{y script}}}</script>';
         var json = {script: "&<>'\"&<>'\""};
         var output = compilation_test(html, json);
-        expect(output).to.eql('<script>&amp;&lt;&gt;&#39;&quot;&amp;&lt;&gt;&#39;&quot;</script>');
+        expect(output).to.eql('<script>&amp;&lt;&gt;&#x27;&quot;&amp;&lt;&gt;&#x27;&quot;</script>');
     });