Skip to content

Instantly share code, notes, and snippets.

View mikesamuel's full-sized avatar

Mike Samuel mikesamuel

344 followers · 20 following
View GitHub Profile
@mikesamuel
mikesamuel / auto-noncing-design.md
Last active August 12, 2022 15:09
CSP Auto-noncing in Go html/template

Auto-noncing in Go html/template

Background

CSP mitigates many client-side security vulnerabilities. A policy is a whitelist of locations from which JavaScript, Styles, and other content can be loaded. CSP allows nonces & hashes to make it easy for a policy to allow some inline content without allowing all inline content.

@mikesamuel
mikesamuel / header-safe-defaults.md
Last active June 19, 2021 04:08
Golang header safe defaults library proposal
@mikesamuel
mikesamuel / hello_world.md
Created August 22, 2017 22:18
Hello, World!

Hello, World!

@mikesamuel
mikesamuel / api.md
Last active October 30, 2017 16:20
API for building URL classifiers

URL Classifier Builder

This is now implemented: https://github.com/OWASP/url-classifier

Problem

Matching URLs with regular expressions is hard. Even experienced programmers who are familiar with the URL spec produce code like /http:\/\/example.com/ which spuriously matches unintended URLs like

@mikesamuel
mikesamuel / RemoveDotSegments.java
Created October 3, 2017 03:55
private static final boolean DEBUG_RDS = false;
static void removeDotSegmentsInPlace(StringBuilder path, int left) {
// The code below has excerpts from the spec interspersed.
// The "input buffer" and "output buffer" referred to in the spec
// are both just regions of path.
// The loop deals with the exclusive cases by continuing instead
// of proceeding to the bottom.
boolean isAbsolute = left < path.length() && path.charAt(left) == '/';
// RFC 3986 Section 5.2.4
@mikesamuel
mikesamuel / index.html
Created October 20, 2017 17:56
sanitizeHtml testbed
<html>
<title>sanitize-html testbed</title>
<script>
// Inlined the result of
// $ npm install sanitize-html
// $ browserify --bare node_modules/sanitize-html/index.js
// and added window.sanitizeHtml = sanitizeHtml;
(function e(t,n,r){function s(o,u){if(!n[o]){if(!t[o]){var a=typeof require=="function"&&require;if(!u&&a)return a(o,!0);if(i)return i(o,!0);var f=new Error("Cannot find module '"+o+"'");throw f.code="MODULE_NOT_FOUND",f}var l=n[o]={exports:{}};t[o][0].call(l.exports,function(e){var n=t[o][1][e];return s(n?n:e)},l,l.exports,e,t,n,r)}return n[o].exports}var i=typeof require=="function"&&require;for(var o=0;o<r.length;o++)s(r[o]);return s})({1:[function(require,module,exports){
var htmlparser = require('htmlparser2');
@mikesamuel
mikesamuel / frenemies.md
Last active February 28, 2018 16:29
Frenemies: Mutual suspicion in Node.js
@mikesamuel
mikesamuel / hashable-json.js
Last active February 21, 2019 05:43
A canonicalizing function to make it easy to hash JSON
"use strict";
// Prompted by https://esdiscuss.org/topic/json-canonicalize
// Given a string of JSON produces a string of JSON without unnecessary
// degrees of freedom like whitespace, optional escape sequences, and
// unnecessary variance in number representation.
function hashable(json) {
const strs = [] // Side table to collect string bodies
return reorderProperties(
@mikesamuel
mikesamuel / README.md
Last active June 23, 2018 01:18
Options for Hardening React &| JSX
@mikesamuel
mikesamuel / no-proto-json-parse.js
Created June 5, 2018 06:46
JSON.parse that filters out __proto__
JSON.parse = (() => {
const undef = void 0;
const jsonParse = JSON.parse;
function noProtoReviver (key, value) {
if (key === '__proto__') {
console.warn('Removed __proto__ from parsed JSON');
return undef; // Remove property entirely
}
return value;
}