@steve02081504/virtual-console 0.1.1 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +24 -0
- package/package.json +1 -1
- package/util.mjs +1 -1
package/README.md
CHANGED
|
@@ -157,6 +157,30 @@ Hooks the virtual console into the current execution context.
|
|
|
157
157
|
- **Scope Limitation:** `hookAsyncContext(fn)` works for the duration of the function execution. However, strict "async" context propagation (like passing context into a `setTimeout` callback) is mimicked but may not be as robust as Node.js's native hooks.
|
|
158
158
|
- `freshLine` cannot erase previous lines in the real browser console limitations, so it appends logs instead.
|
|
159
159
|
|
|
160
|
+
## Security Considerations
|
|
161
|
+
|
|
162
|
+
### HTML Injection Protection
|
|
163
|
+
|
|
164
|
+
`VirtualConsole` is designed to be safe for rendering console output in an HTML context. All console arguments, including those used with `%s`, `%o`, and other format specifiers, are automatically sanitized to prevent Cross-Site Scripting (XSS) attacks.
|
|
165
|
+
|
|
166
|
+
Specifically:
|
|
167
|
+
|
|
168
|
+
- **Argument Sanitization:** All string-based inputs are escaped. For example, `<script>alert(1)</script>` becomes `<script>alert(1)</script>`. This is handled by the underlying `ansi_up` library.
|
|
169
|
+
- **CSS Style (`%c`) Sanitization:** When using the `%c` specifier for styling, the provided CSS string is sanitized to prevent it from breaking out of the `style` attribute. Potentially malicious characters like `<`, `>`, and `"` are escaped, ensuring that HTML cannot be injected.
|
|
170
|
+
|
|
171
|
+
Example of protection:
|
|
172
|
+
|
|
173
|
+
```javascript
|
|
174
|
+
// Malicious input
|
|
175
|
+
console.log('%cAttempting injection', '"><script>alert("pwned")</script><span style="');
|
|
176
|
+
|
|
177
|
+
// Sanitized HTML Output
|
|
178
|
+
// The malicious string is safely contained within the style attribute.
|
|
179
|
+
// <span style=""><script>alert("pwned")</script><span style="">Attempting injection</span>
|
|
180
|
+
```
|
|
181
|
+
|
|
182
|
+
This ensures that you can safely display logs in a web UI without creating security vulnerabilities.
|
|
183
|
+
|
|
160
184
|
## Integration for Library Authors
|
|
161
185
|
|
|
162
186
|
If you are building a library that manages its own async contexts, you can synchronize with `VirtualConsole` using:
|
package/package.json
CHANGED
package/util.mjs
CHANGED
|
@@ -34,7 +34,7 @@ export function argsToHtml(args) {
|
|
|
34
34
|
switch (match) {
|
|
35
35
|
case '%c': {
|
|
36
36
|
hasStyle = true
|
|
37
|
-
const style = String(arg)
|
|
37
|
+
const style = String(arg).replaceAll('"', '"').replaceAll('<', '<').replaceAll('>', '>')
|
|
38
38
|
return `</span><span style="${style}">`
|
|
39
39
|
}
|
|
40
40
|
case '%s':
|