Merge pull request #15 from chrisisbeef/0.1.1-preparation

0.1.1 preparation

.gitignore

@@ -0,0 +1,4 @@
+/node_modules/
+/.idea/
+*.iml
+*.ipr

.jshintrc

@@ -0,0 +1,14 @@
+{
+  "curly": true,
+  "eqeqeq": true,
+  "immed": true,
+  "latedef": true,
+  "newcap": true,
+  "noarg": true,
+  "sub": true,
+  "undef": true,
+  "unused": true,
+  "boss": true,
+  "eqnull": true,
+  "node": true
+}

CONTRIBUTING.md

@@ -0,0 +1,31 @@
+# Contributing
+
+## Important notes
+Please don't edit files in the `dist` subdirectory as they are generated via Grunt. You'll find source code in the `src` subdirectory!
+
+### Code style
+Regarding code style like indentation and whitespace, **follow the conventions you see used in the source already.**
+
+### PhantomJS
+While Grunt can run the included unit tests via [PhantomJS](http://phantomjs.org/), this shouldn't be considered a substitute for the real thing. Please be sure to test the `test/*.html` unit test file(s) in _actual_ browsers.
+
+## Modifying the code
+First, ensure that you have the latest [Node.js](http://nodejs.org/) and [npm](http://npmjs.org/) installed.
+
+Test that Grunt's CLI is installed by running `grunt --version`.  If the command isn't found, run `npm install -g grunt-cli`.  For more information about installing Grunt, see the [getting started guide](http://gruntjs.com/getting-started).
+
+1. Fork and clone the repo.
+1. Run `npm install` to install all dependencies (including Grunt).
+1. Run `grunt` to grunt this project.
+
+Assuming that you don't see any red, you're ready to go. Just be sure to run `grunt` after making any changes, to ensure that nothing is broken.
+
+## Submitting pull requests
+
+1. Create a new branch, please don't work in your `master` branch directly.
+1. Add failing tests for the change you want to make. Run `grunt` to see the tests fail.
+1. Fix stuff.
+1. Run `grunt` to see if the tests pass. Repeat steps 2-4 until done.
+1. Open `test/*.html` unit test file(s) in actual browser to ensure tests pass everywhere.
+1. Update the documentation to reflect any changes.
+1. Push to your fork and submit a pull request.

Gruntfile.js

@@ -0,0 +1,83 @@
+'use strict';
+
+module.exports = function(grunt) {
+
+  // Project configuration.
+  grunt.initConfig({
+    // Metadata.
+    pkg: grunt.file.readJSON('jquery-encoder.jquery.json'),
+    banner: '/*! <%= pkg.title || pkg.name %> - v<%= pkg.version %> - ' +
+      '<%= grunt.template.today("yyyy-mm-dd") %>\n' +
+      '<%= pkg.homepage ? "* " + pkg.homepage + "\\n" : "" %>' +
+      '* Copyright (c) <%= grunt.template.today("yyyy") %> <%= pkg.author.name %>;' +
+      ' Licensed <%= _.pluck(pkg.licenses, "type").join(", ") %> */\n',
+    // Task configuration.
+    clean: {
+      files: ['dist']
+    },
+    concat: {
+      options: {
+        banner: '<%= banner %>',
+        stripBanners: true
+      },
+      dist: {
+        src: ['src/jquery.<%= pkg.name %>.js'],
+        dest: 'dist/jquery.<%= pkg.name %>.js'
+      },
+    },
+    uglify: {
+      options: {
+        banner: '<%= banner %>'
+      },
+      dist: {
+        src: '<%= concat.dist.dest %>',
+        dest: 'dist/jquery.<%= pkg.name %>.min.js'
+      },
+    },
+    qunit: {
+      files: ['test/**/*.html']
+    },
+    jshint: {
+      options: {
+        jshintrc: true
+      },
+      gruntfile: {
+        src: 'Gruntfile.js'
+      },
+      src: {
+        src: ['src/**/*.js']
+      },
+      test: {
+        src: ['test/**/*.js']
+      },
+    },
+    watch: {
+      gruntfile: {
+        files: '<%= jshint.gruntfile.src %>',
+        tasks: ['jshint:gruntfile']
+      },
+      src: {
+        files: '<%= jshint.src.src %>',
+        tasks: ['jshint:src', 'qunit']
+      },
+      test: {
+        files: '<%= jshint.test.src %>',
+        tasks: ['jshint:test', 'qunit']
+      },
+    },
+  });
+
+  // These plugins provide necessary tasks.
+  grunt.loadNpmTasks('grunt-contrib-clean');
+  grunt.loadNpmTasks('grunt-contrib-concat');
+  grunt.loadNpmTasks('grunt-contrib-uglify');
+  grunt.loadNpmTasks('grunt-contrib-qunit');
+  grunt.loadNpmTasks('grunt-contrib-jshint');
+  grunt.loadNpmTasks('grunt-contrib-watch');
+
+  // Default task.
+  // TODO - Removed jshint because it complains about stuff that we *have* to do for the encoding to work properly
+  grunt.registerTask('default', ['qunit', 'clean', 'concat', 'uglify']);
+  //grunt.registerTask('default', ['jshint', 'qunit', 'clean', 'concat', 'uglify']);
+
+};

LICENSE-MIT

@@ -0,0 +1,22 @@
+Copyright (c) 2015 Chris Schmidt
+
+Permission is hereby granted, free of charge, to any person
+obtaining a copy of this software and associated documentation
+files (the "Software"), to deal in the Software without
+restriction, including without limitation the rights to use,
+copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following
+conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -0,0 +1,130 @@
+# jQuery Encoder Plugin
+
+A Contextual Encoding Plugin for jQuery
+
+## Download jquery-encoder
+Download the [production version][min] or the [development version][max].
+
+[min]: https://raw.github.com/cschmidt/jquery-encoder/master/dist/jquery-encoder.min.js
+[max]: https://raw.github.com/cschmidt/jquery-encoder/master/dist/jquery-encoder.js
+
+## Install Dependencies
+
+Run `npm install` to install the plugin dependencies
+
+  * John Resig's Class.create.js 1.1.4+
+
+Or download the [Class Library][classes_lib] manually.
+
+[classes_lib]: https://raw.github.com/chrisisbeef/jquery-encoder/master/list/class.min.js
+
+## Usage
+
+Using the plugin is very simple, there are both static and instance methods to provide the right type of output encoding for your current situation. The plugin also provides a canonicalization method, which is imperative for detecting attacks that use double or multi encoding when handling data from an untrusted source. If you are dealing with data that may contain encoding, you can first canonicalize that data, then re-encode it for the appropriate context.
+
+```html
+<script type="text/javascript" src="/path/to/jquery.min.js"></script>
+<script type="text/javascript" src="/path/to/class.min.js"></script>
+<script type="text/javascript">
+    $.post( 'http://untrusted.com/webservice', { parameter1: 'value' }, function(data) {
+        // Data returned may contain encoded data, so canonicalize the data to it's simplest
+        // form prior to encoding it for use on the page.
+        var cdata = $.canonicalize(data);
+        $('#element').encode('html', cdata);
+    });
+</script>
+<div id="element"></div>
+```
+
+### Static Methods
+
+`canonicalize( String data, bool strict=true )`
+
+Canonicalization (also called normalization) is the act of reducing a string to it's simplest form. For example, if the string `%3CB%3E` is passed into the canonicalize method, the value returned will be decoded into `<b>`. The most important part of this method is that it will detect if a string is passed in that contains either multiple encoding types, or double encoding, or both. The default behavior of the method is to raise an exception if it detects one of these scenarios. As a general rule, normal application operation should never pass data that is either double encoded or encoded using multiple escaping rules. Most definately, data that is provided by a user (such as a form field) will never contain data that fits that description.
+
+```
+    try {
+        $.encoder.canonicalize(untrusted_data);
+    } catch (e) {
+        log.error(e);
+        alert('An error has occured');
+    }
+```
+
+`@encodeForCSS( String propName, String input, boolean omitPropertyName )`
+
+This method allows developers to encode data specifically to be inserted into the @style@ attribute of an element or as the value of a style attribute passed in through the jQuery `.style()` method.
+
+```
+    $.post('/service/userprefs', { user: userID }, function(data) {
+        $('#container').html('<div style="' + $.encoder.encodeForCSS('background-color', data['background-color']) + '">');
+    });
+```
+
+`@encodeForHTML( String input )`
+
+This method allows developers to encode data specifically to be inserted between two tags in a document, either through the use of the `html()` method or by accessing @innerHTML@ directly.
+
+```
+    $.post('http://untrusted.com/news/', function(data) {
+        $('#element').html( $.encoder.encodeForHTML(data) );
+    });
+```
+
+`encodeForHTMLAttribute( String attr, String input, boolean omitAttributeName=false )`
+
+This method allows developers to encode data specifically to be inserted between quotes in an HTML Attribute value.
+
+```
+    $.post('http://untrusted.com/profile', function(data) {
+        $('#element').html( '<div ' + $.encoder.encodeForHTMLAttribute('width', data.width) + '">' );
+        // <div width="90"/>
+    }
+```
+
+`encodeForJavascript( String input )`
+
+This method allows developers to encode data specifically to be inserted into a javascript event on an DOM element. This method will escape for a javascript context instead of a html attribute context.
+
+```
+    $.post('http://untrusted.com/profile', function(data) {
+        $('#element').html( '<div onmouseover="someFunction(\'' + $.encoder.encodeForJavascript(data.event) + '\)">');
+    }
+```
+
+`encodeForURL( String input, attr=null )`
+
+This method allows developers to encode data specifically to be inserted into a URL context. This is useful for encoding links with untrusted data in them. If the optional `attr` parameter is passed this function will return the full value `attr=<encoded_value`.
+
+```
+    $('#dyn_link').html('<a href="/profile?' + $.encoder.encodeForURL(userID, 'userID') + '">Link</a>');
+    // <a href="/profile?userID=123>Link</a>
+```
+
+### Instance Methods
+
+New in version 0.1.1 is the ability to call encoding directly on an element for the `.attr()`, `.html()`, and `.style()` methods. 
+
+`encode( Enum(html|css|attr) context, String input )`
+
+Sets a property of the element with the correct contextual, property-aware encoding applied. 
+
+```
+ // Sets the 'value' attribute of the element with id #my-element
+ $('#my-element').encode('attr', 'value', untrustedData)
+
+ // Add a 'background-image' to the element with id #my-element
+ $('#my-element').encode('css', 'background-image', untrustedUrl);
+```
+
+## Release History
+
+### v0.1.1 - 2015.08.19
+
+ * Updated for jQuery 1.9+ compatibility
+ * New instance method .encode
+ * Added full support for "Property-Aware Contextual OE" 
+ * Migrated to be a grunt build instead of a hacky maven build
+ * Fixed Issue #8 - Support Astral Symbols in encodeForHTMLAttribute (Thanks @stuartf and @mathiasbynens)
+
+### v0.1.0 - Initial Release