HEX
Server: Apache/2.4.41 (Ubuntu)
System: Linux ip-172-31-42-149 5.15.0-1084-aws #91~20.04.1-Ubuntu SMP Fri May 2 07:00:04 UTC 2025 aarch64
User: ubuntu (1000)
PHP: 7.4.33
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
$ pwd: /var/www/vhost/disk-apps/pwa.sports-crowd.com/node_modules/safevalues/
Upload Files
File: /var/www/vhost/disk-apps/pwa.sports-crowd.com/node_modules/safevalues/README.md
# safevalues

WARNING: This library is still in development and we might make
backward-incompatible changes at any moment.

Safevalues is a library to help you prevent Cross-Site Scripting vulnerabilities
in TypeScript (and JavaScript). It is meant to be used together with
[tsec](https://github.com/googleinterns/tsec) to provide strong security
guarantees and help you deploy
[Trusted Types](https://w3c.github.io/webappsec-trusted-types/dist/spec/) and
other CSP restrictions in your applications. Google has used these components
together to reduce DOM XSS ([paper](https://research.google/pubs/pub49950/)),
and we hope it will be useful in your codebase.

## Features

### Policy definition for building safe-by-construction Trusted Types

Trusted Types is a browser API that enables developers to control the values
that can be assigned to XSS sinks. Developers need to define a Trusted Type
policy to build these values, and then the Trusted Type API constrains these
policies.

The Trusted Types API is not opinionated on what *should be* considered safe. It
only acts as a tool for developers to mark values they can *trust*.

`safevalues` in contrast, defines functions that make security decisions on what
is safe (by construction, via escaping or sanitization), so that developers who
are not security experts don't need to.

`safevalues` produces Trusted Types (through its own policy) when available.

### Additional types and functions for sinks not covered by Trusted Types

Some DOM APIs are not covered by Trusted Types, but can also be abused; leading
to XSS or other security issues. Alternative security mechanisms such as the
`unsafe-inline` CSP protection can help to secure these APIs, but not all
browsers or apps support them.

`safevalues` defines additional types, builders, and setters to help protect
these sinks.

### DOM sink wrappers

To build a Trusted Type-compatible app and surface potential violations at
compile time, we recommend that you compile your code with
[tsec](https://github.com/googleinterns/tsec). tsec bans certain DOM APIs.
`safevalues` defines wrappers around these APIs which lets you assign Trusted
Types with them.

Some wrappers don't require a particular type, but sanitize the argument they
get before they assign it to the DOM sink (e.g. `safeLocation.setHref`).

### Trusted Type polyfills

Whenever possible, `safevalues` uses Trusted Types to build its values, in order
to benefit from the runtime protection of Trusted Types. When Trusted Types is
not available, `safevalues` transparently defines its own types and your app
will continue to work.

--------------------------------------------------------------------------------

[Read on](https://github.com/google/safevalues/tree/main/src) about for more
information on our APIs.

## Disclaimer

**This is not an officially supported Google product.**
@ Telegram