From e67abf30e13f972bca6305b16cd578285406570e Mon Sep 17 00:00:00 2001 From: Nera Liu Date: Sat, 13 Jun 2015 23:52:26 +0800 Subject: [PATCH] remove www from master branch --- index.html | 106 ---------- www/autoescaping.html | 172 ---------------- www/bugBounty.html | 85 -------- www/bugBountyRules.html | 82 -------- www/contextparser.html | 158 --------------- www/demosContextParserHandlebars.html | 122 ----------- www/demosXssFilters.html | 104 ---------- www/error.html | 82 -------- www/filteringishard.html | 157 --------------- www/images/security_sprite.png | Bin 5210 -> 0 bytes www/images/security_sprite_x2.png | 1 - www/index.html | 105 ---------- www/javascripts/bootstrap.min.js | 6 - .../demos_context_parser_handlebars.js | 45 ----- www/javascripts/demos_xss_filters.js | 75 ------- www/javascripts/docs.min.js | 24 --- www/javascripts/html5shiv-3.7.2.min.js | 4 - .../ie10-viewport-bug-workaround.js | 22 -- www/javascripts/jquery.min.js | 4 - www/javascripts/respond.min.js | 5 - .../secure-handlebars-helpers.min.js | 5 - www/javascripts/secure-handlebars.min.js | 19 -- www/javascripts/xss-filters.min.js | 5 - www/safejstemplating.html | 163 --------------- www/stylesheets/blog.css | 167 --------------- www/stylesheets/bootstrap.min.css | 5 - www/stylesheets/carousel.css | 138 ------------- www/stylesheets/security.css | 190 ------------------ 28 files changed, 2051 deletions(-) delete mode 100644 index.html delete mode 100644 www/autoescaping.html delete mode 100644 www/bugBounty.html delete mode 100644 www/bugBountyRules.html delete mode 100644 www/contextparser.html delete mode 100644 www/demosContextParserHandlebars.html delete mode 100644 www/demosXssFilters.html delete mode 100644 www/error.html delete mode 100644 www/filteringishard.html delete mode 100644 www/images/security_sprite.png delete mode 100644 www/images/security_sprite_x2.png delete mode 100644 www/index.html delete mode 100644 www/javascripts/bootstrap.min.js delete mode 100644 www/javascripts/demos_context_parser_handlebars.js delete mode 100644 www/javascripts/demos_xss_filters.js delete mode 100644 www/javascripts/docs.min.js delete mode 100644 www/javascripts/html5shiv-3.7.2.min.js delete mode 100644 www/javascripts/ie10-viewport-bug-workaround.js delete mode 100644 www/javascripts/jquery.min.js delete mode 100644 www/javascripts/respond.min.js delete mode 100644 www/javascripts/secure-handlebars-helpers.min.js delete mode 100644 www/javascripts/secure-handlebars.min.js delete mode 100644 www/javascripts/xss-filters.min.js delete mode 100644 www/safejstemplating.html delete mode 100644 www/stylesheets/blog.css delete mode 100644 www/stylesheets/bootstrap.min.css delete mode 100644 www/stylesheets/carousel.css delete mode 100644 www/stylesheets/security.css diff --git a/index.html b/index.html deleted file mode 100644 index 3c34e37..0000000 --- a/index.html +++ /dev/null @@ -1,106 +0,0 @@ - - - - - - - - - Safe JavaScript Templating - - - - - - - - - - - - - - - - - - - - - - -
-

-

-
- -
- -
- -
- -
-
-

Safe JavaScript Templating

-

Our novel approach to defend JavaScript Templating solutions against Cross-site Scripting (XSS).

-
-
- -
-
-

Try our demo!

-
- -
 
- -
-

Filtering is HARD!

-

Cross Site Scripting (a.k.a. XSS) has long been ranked among Top 3 in the OWASP Top 10 for more than a decade. Web applications taking untrusted user inputs, keeping them intact without proper validations, and sending them back as part of the HTML are vulnerable to XSS. Nevertheless, why is XSS still being ranked among consistently high in OWASP Top 10? more...

-
- -
-

Existing JavaScript (JS) Templating is UNSAFE!

-

JS Templating refers to the data binding method implemented with the JavaScript language. In general, a placeholder such as {{key}} is used to bind values of the given key from data files, often JSON objects. To name a few, popular JS templating libraries include AngularJS, Dust.js, Handlebars.js, and Mustache.js.

- -

Intended to defend aganist Cross-Site Scripting (XSS), the JS Templating libraries are defaulted to apply automatic HTML escaping on the untrusted binding outputs. However, it is known to be still VULNERABLE to XSS! more...

-
- -
-

Context Parser & Safe JavaScript Templating

-

We propose a novel approach to defend JavaScript Templating libraries against XSS by our - HTML5 compilant context parser and filters.

-
- -
-
- - - - - - - - - - - - - - - - diff --git a/www/autoescaping.html b/www/autoescaping.html deleted file mode 100644 index 24e1eff..0000000 --- a/www/autoescaping.html +++ /dev/null @@ -1,172 +0,0 @@ - - - - - - - What is Auto Escaping? - - - - - - - - - - - - - - - - - - - - - - -
-

-

-
- -
- -
- -
- -
-
-

What is Auto Escaping?

-

It is the default strategy in JavaScript Templating by auto HTML escaping the output to defend aganist cross site scripting (XSS)

-
- -
  
- -
-
-

What is Auto Escaping?

-

Auto Escaping is applied by JS Templating engines to mitigate Cross-Site Scripting (XSS). It works by encoding all harmful characters originated from untrusted inputs, and thus preventing browsers from interpreting them as HTML entities, which otherwise could lead to malicious script injections and executions.

-

Here we summarize those characters that are considered dangerous by the Auto Escaping approach: - - - - - -
Characters><"'&
Characters (encoded)&gt;&lt;&quot;&apos;&amp;
-

-

While the approach can defend against some XSS vulnerabilities, it may give a false sense of security that the XSS problem is solved.

-
- -
-

What's wrong?

-

Some JS templating engines miss characters that could lead to XSS. Taking DustJS and Handlerbars as examples, the table below summerizes which dangerous characters are encoded by their auto escaping implementations.

- - - - - - -
Characters><"'&SPACE
DustJS&gt;&lt;&quot;&apos;&amp;SPACE
Handlebars&gt;&lt;&quot;&apos;&amp;SPACE
- -

The dangerous characters are blindly encoded without considering the output execution contexts. According to the encoding character sets, both DustJS and HandlebarsJS do not encode space ( ) characters, which are arguably legitimate user inputs. However, it could be used as a XSS attack vector depending on the output context.

-
-

Example of Vulnerability

-
    -
  • Visit the official DustJS demo page
  • -
  • Use <input value={untrusted}/> as template
  • -
  • Use {"untrusted": "break_the_context onblur=alert(1)"} as data input
  • -
  • After data binding, the output becomes <input value=break_the_context onblur=alert(1)/>
  • -
  • Again, when rendered by browsers, you will see the alert prompt when the input box is out of focus.
  • -
-
-
- -
-

Our Context-aware Solution

-

The solution is to (1) parse the HTML template files to analyze the output execution context, and (2) apply context-sensitive encoding accordingly.

-
-
- -
- - - - - - Back to top - -
- -
-
-
- -
-
-

Back

-
- -
-
- - - - - - - - - - - - - - - diff --git a/www/bugBounty.html b/www/bugBounty.html deleted file mode 100644 index 7d4e7be..0000000 --- a/www/bugBounty.html +++ /dev/null @@ -1,85 +0,0 @@ - - - - - - - Yahoo Bug Bounty Special Program 2.0 - - - - - - - - - - - - - - - - - - - - - - -
-

-

-
- -
- -
- -
- -
-
- -
-

Yahoo Bug Bounty Special Program 2.0

-

Hello Security Researchers!

Recently, we are working on two security projects - Secure XSS Filters on HTML5 and Safe JavaScript Templating on Secure Handlebars. And we are pleased to invite external reviewers to test the security design principle of these two products under our Bug Bounty Program to make our product safe!

Please click the link to join our program. We look forward to working with you!

-
-
- -
-
-
- -
-
-
- - - - - - - - - - - - - - - diff --git a/www/bugBountyRules.html b/www/bugBountyRules.html deleted file mode 100644 index 049006a..0000000 --- a/www/bugBountyRules.html +++ /dev/null @@ -1,82 +0,0 @@ - - - - - - - Page Not Found! - - - - - - - - - - - - - - - - - - - - - - -
-

-

-
- -
- -
- -
- -
-
-

Page Not Found!

-

404 Page Not Found!

-
-
- -
-
-
- -
-
- - - - - - - - - - - - - - - diff --git a/www/contextparser.html b/www/contextparser.html deleted file mode 100644 index ee9e2f9..0000000 --- a/www/contextparser.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - Context-aware HTML5 Parser - - - - - - - - - - - - - - - - - - - - - - -
-

-

-
- -
- -
- -
- -
-
-

Context-aware HTML5 Parser

-

Our novel approach to implement a HTML5 compliant parser for cross browsers.

-
- -
  
- -
-
-

How to solve XSS?

-

In order to solve the cross site scripting, we analyze the HTML5 template files output execution context according to the HTML5 WHATWG specification and apply context-sensitive encoding filters, unlike the widely-used Auto Escaping approach that blindly applies the same encoder on every output.

-
- -
-

Features of our Context Parser

-

 

- -

HTML5 Compliance

-

We implement our HTML5 parser according to the HTML5 WHATWG specification. It is HTML5 Compliant!!!

- -

Speedy

-

As our goal is to analyze the output execution context, there is no need to implement the end to end parsing model as the specification stated, so we can parse the HTML5 real fast.

-

Currently, we can parse 12.903225806451612 MB per second in our JavaScript implementation.

-

- -

Tiny code base

-

Our code is around 500 lines, it is easy to be ported to different programming languages. Right now, we support native JavaScript implementation.

- -

Canonicalization

-

.....

-
- -
-

Safe JavaScript Templating

-

Empowered by our Context Parser, we identify the HTML5 execution context before applying the corresponding filter on the output. This capability allows us to integrate with different JavaScript templating engines and make them XSS free.

-
-
- -
- - - - - - Back to top - -
- -
-
-
- -
-
-

Back

-
- -
-
- - - - - - - - - - - - - - - diff --git a/www/demosContextParserHandlebars.html b/www/demosContextParserHandlebars.html deleted file mode 100644 index b05dba6..0000000 --- a/www/demosContextParserHandlebars.html +++ /dev/null @@ -1,122 +0,0 @@ - - - - - - - Safe JavaScript Templating with Handlebars - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-

-

-
-
- -
- -
- -
-
-

Safe JavaScript Templating with Handlebars

-
- -
-

Secure Handlebars is a pre-processor to automatically conduct HTML 5 context analysis on Handlebars templates, and insert markup of XSS filtering helpers to output expressions based on their surrounding contexts. The resulted templates can then be further processed with the vanilla Handlebars template engine. With the context-sensitive helpers properly registered at runtime, the context-sensitive escaping will effectively defend against XSS attacks. For more detail, please check here.

-
- -
-

Original Handlebars Template

- -
-
-

Preprocessed Handlebars Template

- -
-
-

JSON string

- -
-
-

Rendered HTML

- -
-
-

Enable strict mode (the pre-processor will throw exception if context is not supported by our Context Parser, otherwise, the original auto escaping filter is applied!

-
- -
-
    -
  1. Secure Handlebars
  2. -
  3. Secure Handlebars Helpers
  4. -
  5. Express Secure Handlebars
  6. -
      -
- -
-
- -
-
- -
-
- - - - - - - - - - - - - - - diff --git a/www/demosXssFilters.html b/www/demosXssFilters.html deleted file mode 100644 index 67ea32e..0000000 --- a/www/demosXssFilters.html +++ /dev/null @@ -1,104 +0,0 @@ - - - - - - - Secure XSS Filters - - - - - - - - - - - - - - - - - - - - - - - - -
-

-

-
-
- -
- -
- -
-
-

Secure XSS Filters

-
-
-

Secure XSS Filters is a npm package to provide *just sufficient* output filtering to prevent cross site scripting vulnerablities. This page demostrates the filtering result of untrusted input in its corresponding execution context! For more detail, please check here.

-
- -
-
- - - - -
-
- -
-
- -
-
    -
  1. XSS Filters
  2. -
      -
- -
-
- -
-
- -
-
- - - - - - - - - - - - - - - diff --git a/www/error.html b/www/error.html deleted file mode 100644 index 049006a..0000000 --- a/www/error.html +++ /dev/null @@ -1,82 +0,0 @@ - - - - - - - Page Not Found! - - - - - - - - - - - - - - - - - - - - - - -
-

-

-
- -
- -
- -
- -
-
-

Page Not Found!

-

404 Page Not Found!

-
-
- -
-
-
- -
-
- - - - - - - - - - - - - - - diff --git a/www/filteringishard.html b/www/filteringishard.html deleted file mode 100644 index 243b52e..0000000 --- a/www/filteringishard.html +++ /dev/null @@ -1,157 +0,0 @@ - - - - - - - Filtering is Hard! - - - - - - - - - - - - - - - - - - - - - - -
-

-

-
- -
- -
- -
- -
-
-

Filtering is Hard!

-

Cross Site Scripting (a.k.a. XSS) is still ranked among Top 3 in the OWASP Top 10 for more than a decade, and why?

-
- -
  
- -
-
-

Filtering is hard!!!

-

Cross Site Scripting (a.k.a. XSS) has long been ranked among Top 3 in the OWASP Top 10 [1] for more than a decade. Web applications taking untrusted user inputs, keeping them intact without proper validations, and sending them back as part of the HTML are vulnerable to XSS. Attackers can execute arbitrary JavaScript in the vulnerable application, deface the website, and even steal users’ sessions and personal information. Given these severe consequences, XSS is unarguably a critical vulnerability.

- -

Nevertheless, why is XSS still being ranked among consistently high in OWASP Top 10? As a matter of fact, context-aware output filtering, as the most effective mitigation approach is hard to apply manually. In this article, we further elaborate the difficulty, and how we tackle this problem when designing XSS filters and automated solutions.

-
- -
-

Input Validation v.s. Output Filtering

-

User input validation is implemented at the server-side, often as the first interface to validate all inputs before further processing; whereas output filtering is implemented as the last component at the output, right before the data is sent back to user’s browsers. There is is no conflicting reason of just doing the filtering mechanism in one place, since it depends on the use case and functionality of your web applications. Taking search application as an example, it is impractical to implement the user input validation since the application needs to capture what exactly the user input to conduct the search functionality. Indispensably, user input validation is still the most universal mechanism for validation/filtering strategy for most web applications.

- -

However, why does input filtering fail in most cases? It is because the first interfacing component of the system can never anticipate what system component comes next when we are developing the modern web applications at scale with different internal and external systems interacting with each other. As a consequence, input filtering can either be over-filtering or insufficient filtering, the first case definitely affects the normal functionality while the latter case can lead to XSS vulnerabilities. This scenario makes output filtering more suitable and effective in the validation/filtering strategy, as it is the last component of the web application returning data back to the user’s browser. Nowadays, the industry is shifting to the output filtering in most of templating engines as it is effective than input filtering.

-
- -
-

Output Contexts

-

With the output filtering strategy in the design, it is still not easy to stop the XSS, as the developers need to understand the output contexts of the web applications and the execution order of the contexts in the web browsers. Taking a HTML5 web application as an example, there are at least 4 superset classifications of output contexts, including HTML, CSS, JavaScript and URI, and each output context can be further broken down to finer granularity for classification. Based on our study, we have at least 25 output contexts if we just consider HTML and URI together, it means that we need at least 25 different types of filtering rules in practice.

- -

Besides the number of combinations of different output contexts, the filtering order is also critical to the filtering mechanism. The filtering order must be the same as the execution order of the contexts being invoked by the web browser and with the blacklist filter at the end of the filtering rules. When the developer puts the untrusted user input at the “href” attribute value of the anchor tag, the correct order is to apply the URI validation before the HTML attribute value filtering and with the HTTP protocol blacklist filter at the end to make it secure.

-
- -
-

XSS Filters

-

XSS-Filters is the context-aware output filters for web applications. The design principle is to apply the filtering rules based on the output contexts in order to achieve the goal of “Just sufficient filtering”. This design principle is to address over-filtering and insufficient filtering through context awareness in the output, in order to provide a developer friendly and secure solution to web applications.

- -

In our solution, we provide a set of self-explanatory API(s) by chaining up the context-aware filters based on the most common developer use cases without the pain of understanding the browser execution context order and what contexts being invoked. If you want to apply our filters, you can check out this tutorial on how to apply the context-aware filters manually or our advanced automation solution provided.

-
-
- -
- - - - - - Back to top - -
- -
-
-
- -
-
-

Back

-
- -
-
- - - - - - - - - - - - - - - diff --git a/www/images/security_sprite.png b/www/images/security_sprite.png deleted file mode 100644 index 271cd7690ee5d32a4a12a83bfb58eb78ff524302..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5210 zcmbVQc|4Tu*S8fR2HBG_#+GF)F?a}B=dm^oh7dC*%QQq+5kf))ut~1dZ z6CC0YNy40nbU~mav1pS(ki}7;8P$|SfWuG%fK=QWJlT|L4*G-Flr!F4hJb*7h)}TR zpg)a5I=ca_2_y{AP{&Xkt*dtg2sP2sGt@g`tfvLk*VQwC=o&!u47Bz1O?6F7^$dZ3 zH4sM|De$x@+{W%NU7VRYD40SannEDq;o&;r208>%5Jb zx&;#`1adHe2(-2asyhduL-4zEjXwa+&ZaOtnG%3UV_-JsAP$92NJyZmo}Dh###Yxr z-xzA7r)O(mtY@riYh!#&-xg|QV+7Uz8*4*ApTlABl)tfo|G^&lSL|*q;D{W}HW*S! z7$(q;M8E<6*t2QKzuThsuY7-D1OMF?{eQ(mIL1JBPxgPE^xsRI@Yx;y6SthnKar2Y zbHbg(iR(+u+wojnfLAaZD+G1uo9{jfqF=U|rNzqR+Lz2TpE?AmdsJv5=Da&-6$rY= z98a9L&+n4;9&Zj8R|Ky%^ux8hMN1m0-}$}?6{`?D{9+<;C|SJ|9C*`7e>?U|RMO4v zn^5*ECT!Gchh6Xs9KN(P+Qj}f-|{h>oeR!^sQ`XlhDY%6DCJuws{l~@_>O5^1ULfQ z#RV=QIg7=mpl>T(*1zL_%Zn*+?Q?+J_SuolSns|3*!JM{>}VHp(1s$*3oLIVdC^{$ zWebkVHnU$^D4D!Os0B%lD`lHI=)5`lIp@@M+Bs%^puNCn8723g?WXKZ8-d_BW04Bpmm#FB^Fp+^F zXqH(P|NFvA>c|d}itl?>GBb{RcS_D&QIX}^^C;)tvlq}vV^`H`l&h-AjX>!4WmWO+ zY{d8>t!Rgu%t@>4jzdM=g?3S;<-ST!%UcR2z0~R1laWaIM}r@#N!_q}cTK{;BLwYA zX#U-2Q|H2zu8XK7>fPvF36{Jr6P~$}nEmh)&39tKf|od!gyx#((^oYlEs=ffmh@RI z4m-}-&*R*pvYa|ssla|^<|lHq)e zD&s)f!-|**I%qc$iS$r&T>!C&bu9tm4tfIyjYut_6aKWsVslxmks#R}wsAb7R>7hE zw?oYtZ_NQ^EUM+I7cwENtyQHD$+W&bcTBl9F0eP zNX>Z56zGDkM|~Uimf?SxZ{VL-Wu@2&G;x&f!riVn5%wPUY#euNKPmN)zp=m#*T6hS zz5kUcSR<-nZ@CZu`b@j-Wm&rt39G!*4Da-oU+IC(c63?bP>JwaA&G5|u)Wp69zZ5w zpgqLx%G;r7jMZTS4SBTi=uHE#z;^vww$t7Ytil|(nVV1$Cb{0&Nd8`ZX?D2_S&RS1 zoy8~xp9GA%D>)(-*LfeibP@R-Se~#g#)Gt4j8=cr(Y7&Wd#a-5RSekREfo;coKv?Z zEUJ_&@#Vs#lyRlG#w*78%ivFjP_JCipWMo>YL0oY&hjh8zl(n|tk4t1(}&S?X@rx} zEtYb(_9@tzD)cVhek41cj#Umf^|^6Oc(qB3)qU~jIqxksJ7H{pMrHp{z4r??{|?`J z@OWqi;WSCSzZ~zETrW)HG1qzgQnmI5{i73qa^IKCiJ}MfCVQj2HA95?8ugVz+7Y;; z07nb8rdi(fyMgW^skc(ZFZd~sydXA4VR0fW77JO(qBfG33_W7M0W2kW^OwG2JA9#w zATK&;S#h2_^pw<2;typU4;}6vkTLnMV62V!}SfWK6b!2=qzS+D7S%sH{PeszI=($Am#E^^4<@WjPcvtznw6 z{xA$UFo$=!(G6bt?8Z!p7dx^2>^bnB<-V`Fe2aN|%!kJxBuChNf0@?tB5V_c=VMo> z>vz`mj;$jV$%2!slm3b`2?jkeom|_hqV1@%4aRYC*-#0zm)BZ$v_v-@^Hn12AhNK$ z{?xIGu6?B?g{aGgL6=*`O1F=SC)law{&?LYezW%>bja|iM%XQ@*E??WMu*+o>lPBa zUcOBmK81~bh?7fOEgX(XIxmBR-g(}s4lVDR6qY?f0Ccxn;CS#EucVZNGk`s3=i&y> z?MRDO`8HkU1K;hy(Wr-<=nA-={w~#n3yuuu8+oFiy`Q9imUG{E9ehVx;biEddx@r& zRD5aVC@g1@nK>RCTM1u|N?%nUxgHE1`5b&x=4r^MO8{Ow%bz5(hEVm_n_6*NM%kUH zDG6AccRr=f+}LZ|>c_V8)cCXMR8yp?`KWhUpR4{H)XW2Gk!aj1LKbV5)A- zcIP`q?CA)xemREAi32{+h(Un~O`r6ghPCVRjK1I|WM@IE%*@-`IRbdk*s;*`x|mF{ zP<6!=+?s9CyUI(NKb^V){z%}9SnF|lq@P`f?BC~d2dC`ZYfI$Ww)PjORTKNFhlV=KS}{xr)cQ2 zAmY8JxI4u?R9$bDsO9-(HH0_g*3ma3AvZ50@nIQabLniJG+Gfk|MypUUOx<3VJ2pe za`u;nC%v)g$@Y}-S^+4+I`A&BcPyQ=F-yOLxwAB%ZFD> zZn>YC+HvY`g})pqf3{_O#aAphtuyxh5ZYgZyyt3wPTx?pMfmW+aOn)}ya*~`{~kL9 zR2jGTmZFyr_WCUIaZv8iO5y|9-Bhg<_W(e5dE9b$*c~wm4P@4aPTU5-N7U7f9p6h8 zoVzbPCF}RIxTWWO>Fm$Pk30*KkIqcpUJS|bojxgAzTT0Hw*s#qN}24ZCiLQRW4kfW1~u$_uO=hEHSP##FKj)(T~0V(12~{GGd=ELI&^kh zV1hLT>^ebw;5Qa&xIFtOCO81~(SuqYu0gH0$~e@@kdJ{mosb zeEskhc436q&J-W{gJhR;TmQX%j&tLk?lEqHu=}sxFJo$>sy1T%dL$AI2an;rtG%m! z`c}*BjkvCE4?11@^!@$*xbq(?V!7Y{#-HC0Q*^~n6{x-&Ub*^PKPO9Lo-EgILv^Hw z>0h}Eck@UJ)5a_}NrMgQZUOjHntRZ(64ftVC%o9H-eYT_Zw1d_Q_RP@N{MY{xlND2 zg90lCD<{YEHe$Te*I%cQ8cH+8DSOH#2fCxpg5*agDY=M2$>!Ocng;|(j3YdM<&}(o zO*VHkPyxnY87L+-@kh|xfMhGC{HkFl{r#R{eUh-FrLNp3-Lx?=$JSc z!Hngu%K1zP`PARa1d@L{o&(U7U&vPR>+cp)TZMQ|s@Q+_uh((E2_Z`#Fkw)O4v(&O zbQ>iyxpF;+mgWyLLF-5IVmkC8Kbcmv=9Ve&mHDQF>qf^AAL|$Des-&NP9$7rj;2H3 zPd^c$eirnbeHEp#7_%3qo&R~y6()3msJ;cv`)Fj%jLCrVpS%lidiiw>_Iz^kyc88e z9hDg8^T}a#JB|&5I}Zz^7R3o5nz1?VIlhQ;tqZJeVOt2K}^dPCeU9`ihVac zn0s}#i@rP`8+SoGjd%XoP|-#9D&=@YbxOzl^bekI?6Ze_N{i)_J7hhT?3$x{m2JO2 zQyDnBXJi`98G)sGrxiS&oH){D99E#sJH>)ezLH`Ln=S5CMr!G2TFsKSgH%~?VgwA9 za;>}=pm{)0CG|O~K4mlBy4+OmYlnYD17x*i=MwRq{*p|lP|=ET<8_on+z*pt_SPh$KU zw0LB?3@7tU_j-WnL`KnmQCnUt - - - - - - Safe JavaScript Templating - - - - - - - - - - - - - - - - - - - - - - -
-

-

-
- - - -
- -
-
-

Safe JavaScript Templating

-

Our novel approach to defend JavaScript Templating solutions against Cross-site Scripting (XSS).

-
-
- -
-
-

Try our demo!

-
- -
 
- -
-

Filtering is HARD!

-

Cross Site Scripting (a.k.a. XSS) has long been ranked among Top 3 in the OWASP Top 10 for more than a decade. Web applications taking untrusted user inputs, keeping them intact without proper validations, and sending them back as part of the HTML are vulnerable to XSS. Nevertheless, why is XSS still being ranked among consistently high in OWASP Top 10? more...

-
- -
-

Existing JavaScript (JS) Templating is UNSAFE!

-

JS Templating refers to the data binding method implemented with the JavaScript language. In general, a placeholder such as {{key}} is used to bind values of the given key from data files, often JSON objects. To name a few, popular JS templating libraries include AngularJS, Dust.js, Handlebars.js, and Mustache.js.

- -

Intended to defend aganist Cross-Site Scripting (XSS), the JS Templating libraries are defaulted to apply automatic HTML escaping on the untrusted binding outputs. However, it is known to be still VULNERABLE to XSS! more...

-
- -
-

Context Parser & Safe JavaScript Templating

-

We propose a novel approach to defend JavaScript Templating libraries against XSS by our - HTML5 compilant context parser and filters.

-
- -
-
- - - - - - - - - - - - - - - - diff --git a/www/javascripts/bootstrap.min.js b/www/javascripts/bootstrap.min.js deleted file mode 100644 index 7c1561a..0000000 --- a/www/javascripts/bootstrap.min.js +++ /dev/null @@ -1,6 +0,0 @@ -/*! - * Bootstrap v3.2.0 (http://getbootstrap.com) - * Copyright 2011-2014 Twitter, Inc. - * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) - */ -if("undefined"==typeof jQuery)throw new Error("Bootstrap's JavaScript requires jQuery");+function(a){"use strict";function b(){var a=document.createElement("bootstrap"),b={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEnd otransitionend",transition:"transitionend"};for(var c in b)if(void 0!==a.style[c])return{end:b[c]};return!1}a.fn.emulateTransitionEnd=function(b){var c=!1,d=this;a(this).one("bsTransitionEnd",function(){c=!0});var e=function(){c||a(d).trigger(a.support.transition.end)};return setTimeout(e,b),this},a(function(){a.support.transition=b(),a.support.transition&&(a.event.special.bsTransitionEnd={bindType:a.support.transition.end,delegateType:a.support.transition.end,handle:function(b){return a(b.target).is(this)?b.handleObj.handler.apply(this,arguments):void 0}})})}(jQuery),+function(a){"use strict";function b(b){return this.each(function(){var c=a(this),e=c.data("bs.alert");e||c.data("bs.alert",e=new d(this)),"string"==typeof b&&e[b].call(c)})}var c='[data-dismiss="alert"]',d=function(b){a(b).on("click",c,this.close)};d.VERSION="3.2.0",d.prototype.close=function(b){function c(){f.detach().trigger("closed.bs.alert").remove()}var d=a(this),e=d.attr("data-target");e||(e=d.attr("href"),e=e&&e.replace(/.*(?=#[^\s]*$)/,""));var f=a(e);b&&b.preventDefault(),f.length||(f=d.hasClass("alert")?d:d.parent()),f.trigger(b=a.Event("close.bs.alert")),b.isDefaultPrevented()||(f.removeClass("in"),a.support.transition&&f.hasClass("fade")?f.one("bsTransitionEnd",c).emulateTransitionEnd(150):c())};var e=a.fn.alert;a.fn.alert=b,a.fn.alert.Constructor=d,a.fn.alert.noConflict=function(){return a.fn.alert=e,this},a(document).on("click.bs.alert.data-api",c,d.prototype.close)}(jQuery),+function(a){"use strict";function b(b){return this.each(function(){var d=a(this),e=d.data("bs.button"),f="object"==typeof b&&b;e||d.data("bs.button",e=new c(this,f)),"toggle"==b?e.toggle():b&&e.setState(b)})}var c=function(b,d){this.$element=a(b),this.options=a.extend({},c.DEFAULTS,d),this.isLoading=!1};c.VERSION="3.2.0",c.DEFAULTS={loadingText:"loading..."},c.prototype.setState=function(b){var c="disabled",d=this.$element,e=d.is("input")?"val":"html",f=d.data();b+="Text",null==f.resetText&&d.data("resetText",d[e]()),d[e](null==f[b]?this.options[b]:f[b]),setTimeout(a.proxy(function(){"loadingText"==b?(this.isLoading=!0,d.addClass(c).attr(c,c)):this.isLoading&&(this.isLoading=!1,d.removeClass(c).removeAttr(c))},this),0)},c.prototype.toggle=function(){var a=!0,b=this.$element.closest('[data-toggle="buttons"]');if(b.length){var c=this.$element.find("input");"radio"==c.prop("type")&&(c.prop("checked")&&this.$element.hasClass("active")?a=!1:b.find(".active").removeClass("active")),a&&c.prop("checked",!this.$element.hasClass("active")).trigger("change")}a&&this.$element.toggleClass("active")};var d=a.fn.button;a.fn.button=b,a.fn.button.Constructor=c,a.fn.button.noConflict=function(){return a.fn.button=d,this},a(document).on("click.bs.button.data-api",'[data-toggle^="button"]',function(c){var d=a(c.target);d.hasClass("btn")||(d=d.closest(".btn")),b.call(d,"toggle"),c.preventDefault()})}(jQuery),+function(a){"use strict";function b(b){return this.each(function(){var d=a(this),e=d.data("bs.carousel"),f=a.extend({},c.DEFAULTS,d.data(),"object"==typeof b&&b),g="string"==typeof b?b:f.slide;e||d.data("bs.carousel",e=new c(this,f)),"number"==typeof b?e.to(b):g?e[g]():f.interval&&e.pause().cycle()})}var c=function(b,c){this.$element=a(b).on("keydown.bs.carousel",a.proxy(this.keydown,this)),this.$indicators=this.$element.find(".carousel-indicators"),this.options=c,this.paused=this.sliding=this.interval=this.$active=this.$items=null,"hover"==this.options.pause&&this.$element.on("mouseenter.bs.carousel",a.proxy(this.pause,this)).on("mouseleave.bs.carousel",a.proxy(this.cycle,this))};c.VERSION="3.2.0",c.DEFAULTS={interval:5e3,pause:"hover",wrap:!0},c.prototype.keydown=function(a){switch(a.which){case 37:this.prev();break;case 39:this.next();break;default:return}a.preventDefault()},c.prototype.cycle=function(b){return b||(this.paused=!1),this.interval&&clearInterval(this.interval),this.options.interval&&!this.paused&&(this.interval=setInterval(a.proxy(this.next,this),this.options.interval)),this},c.prototype.getItemIndex=function(a){return this.$items=a.parent().children(".item"),this.$items.index(a||this.$active)},c.prototype.to=function(b){var c=this,d=this.getItemIndex(this.$active=this.$element.find(".item.active"));return b>this.$items.length-1||0>b?void 0:this.sliding?this.$element.one("slid.bs.carousel",function(){c.to(b)}):d==b?this.pause().cycle():this.slide(b>d?"next":"prev",a(this.$items[b]))},c.prototype.pause=function(b){return b||(this.paused=!0),this.$element.find(".next, .prev").length&&a.support.transition&&(this.$element.trigger(a.support.transition.end),this.cycle(!0)),this.interval=clearInterval(this.interval),this},c.prototype.next=function(){return this.sliding?void 0:this.slide("next")},c.prototype.prev=function(){return this.sliding?void 0:this.slide("prev")},c.prototype.slide=function(b,c){var d=this.$element.find(".item.active"),e=c||d[b](),f=this.interval,g="next"==b?"left":"right",h="next"==b?"first":"last",i=this;if(!e.length){if(!this.options.wrap)return;e=this.$element.find(".item")[h]()}if(e.hasClass("active"))return this.sliding=!1;var j=e[0],k=a.Event("slide.bs.carousel",{relatedTarget:j,direction:g});if(this.$element.trigger(k),!k.isDefaultPrevented()){if(this.sliding=!0,f&&this.pause(),this.$indicators.length){this.$indicators.find(".active").removeClass("active");var l=a(this.$indicators.children()[this.getItemIndex(e)]);l&&l.addClass("active")}var m=a.Event("slid.bs.carousel",{relatedTarget:j,direction:g});return a.support.transition&&this.$element.hasClass("slide")?(e.addClass(b),e[0].offsetWidth,d.addClass(g),e.addClass(g),d.one("bsTransitionEnd",function(){e.removeClass([b,g].join(" ")).addClass("active"),d.removeClass(["active",g].join(" ")),i.sliding=!1,setTimeout(function(){i.$element.trigger(m)},0)}).emulateTransitionEnd(1e3*d.css("transition-duration").slice(0,-1))):(d.removeClass("active"),e.addClass("active"),this.sliding=!1,this.$element.trigger(m)),f&&this.cycle(),this}};var d=a.fn.carousel;a.fn.carousel=b,a.fn.carousel.Constructor=c,a.fn.carousel.noConflict=function(){return a.fn.carousel=d,this},a(document).on("click.bs.carousel.data-api","[data-slide], [data-slide-to]",function(c){var d,e=a(this),f=a(e.attr("data-target")||(d=e.attr("href"))&&d.replace(/.*(?=#[^\s]+$)/,""));if(f.hasClass("carousel")){var g=a.extend({},f.data(),e.data()),h=e.attr("data-slide-to");h&&(g.interval=!1),b.call(f,g),h&&f.data("bs.carousel").to(h),c.preventDefault()}}),a(window).on("load",function(){a('[data-ride="carousel"]').each(function(){var c=a(this);b.call(c,c.data())})})}(jQuery),+function(a){"use strict";function b(b){return this.each(function(){var d=a(this),e=d.data("bs.collapse"),f=a.extend({},c.DEFAULTS,d.data(),"object"==typeof b&&b);!e&&f.toggle&&"show"==b&&(b=!b),e||d.data("bs.collapse",e=new c(this,f)),"string"==typeof b&&e[b]()})}var c=function(b,d){this.$element=a(b),this.options=a.extend({},c.DEFAULTS,d),this.transitioning=null,this.options.parent&&(this.$parent=a(this.options.parent)),this.options.toggle&&this.toggle()};c.VERSION="3.2.0",c.DEFAULTS={toggle:!0},c.prototype.dimension=function(){var a=this.$element.hasClass("width");return a?"width":"height"},c.prototype.show=function(){if(!this.transitioning&&!this.$element.hasClass("in")){var c=a.Event("show.bs.collapse");if(this.$element.trigger(c),!c.isDefaultPrevented()){var d=this.$parent&&this.$parent.find("> .panel > .in");if(d&&d.length){var e=d.data("bs.collapse");if(e&&e.transitioning)return;b.call(d,"hide"),e||d.data("bs.collapse",null)}var f=this.dimension();this.$element.removeClass("collapse").addClass("collapsing")[f](0),this.transitioning=1;var g=function(){this.$element.removeClass("collapsing").addClass("collapse in")[f](""),this.transitioning=0,this.$element.trigger("shown.bs.collapse")};if(!a.support.transition)return g.call(this);var h=a.camelCase(["scroll",f].join("-"));this.$element.one("bsTransitionEnd",a.proxy(g,this)).emulateTransitionEnd(350)[f](this.$element[0][h])}}},c.prototype.hide=function(){if(!this.transitioning&&this.$element.hasClass("in")){var b=a.Event("hide.bs.collapse");if(this.$element.trigger(b),!b.isDefaultPrevented()){var c=this.dimension();this.$element[c](this.$element[c]())[0].offsetHeight,this.$element.addClass("collapsing").removeClass("collapse").removeClass("in"),this.transitioning=1;var d=function(){this.transitioning=0,this.$element.trigger("hidden.bs.collapse").removeClass("collapsing").addClass("collapse")};return a.support.transition?void this.$element[c](0).one("bsTransitionEnd",a.proxy(d,this)).emulateTransitionEnd(350):d.call(this)}}},c.prototype.toggle=function(){this[this.$element.hasClass("in")?"hide":"show"]()};var d=a.fn.collapse;a.fn.collapse=b,a.fn.collapse.Constructor=c,a.fn.collapse.noConflict=function(){return a.fn.collapse=d,this},a(document).on("click.bs.collapse.data-api",'[data-toggle="collapse"]',function(c){var d,e=a(this),f=e.attr("data-target")||c.preventDefault()||(d=e.attr("href"))&&d.replace(/.*(?=#[^\s]+$)/,""),g=a(f),h=g.data("bs.collapse"),i=h?"toggle":e.data(),j=e.attr("data-parent"),k=j&&a(j);h&&h.transitioning||(k&&k.find('[data-toggle="collapse"][data-parent="'+j+'"]').not(e).addClass("collapsed"),e[g.hasClass("in")?"addClass":"removeClass"]("collapsed")),b.call(g,i)})}(jQuery),+function(a){"use strict";function b(b){b&&3===b.which||(a(e).remove(),a(f).each(function(){var d=c(a(this)),e={relatedTarget:this};d.hasClass("open")&&(d.trigger(b=a.Event("hide.bs.dropdown",e)),b.isDefaultPrevented()||d.removeClass("open").trigger("hidden.bs.dropdown",e))}))}function c(b){var c=b.attr("data-target");c||(c=b.attr("href"),c=c&&/#[A-Za-z]/.test(c)&&c.replace(/.*(?=#[^\s]*$)/,""));var d=c&&a(c);return d&&d.length?d:b.parent()}function d(b){return this.each(function(){var c=a(this),d=c.data("bs.dropdown");d||c.data("bs.dropdown",d=new g(this)),"string"==typeof b&&d[b].call(c)})}var e=".dropdown-backdrop",f='[data-toggle="dropdown"]',g=function(b){a(b).on("click.bs.dropdown",this.toggle)};g.VERSION="3.2.0",g.prototype.toggle=function(d){var e=a(this);if(!e.is(".disabled, :disabled")){var f=c(e),g=f.hasClass("open");if(b(),!g){"ontouchstart"in document.documentElement&&!f.closest(".navbar-nav").length&&a('