{"id":14735,"library":"node-esapi","title":"OWASP ESAPI Encoder for Node.js","description":"node-esapi is a minimal port of the OWASP Enterprise Security API for JavaScript (ESAPI4JS) encoder, adapted for use in Node.js environments. Published as version 0.0.1, it primarily offers functions for various output encoding contexts such as HTML, CSS, JavaScript, URL, HTML attributes, and Base64, aiming to mitigate Cross-Site Scripting (XSS) and other injection vulnerabilities. The package appears to have been developed around 2014, given its copyright, and has not seen subsequent releases or updates, indicating it is no longer actively maintained. While ESAPI was historically a key project for security, current best practices often recommend highly contextual encoding provided by templating engines or dedicated, well-maintained security libraries tailored to specific frameworks, rather than a generic, standalone encoder like this unmaintained port. Its core differentiator was being an OWASP-backed security utility, but its current state makes it unsuitable for modern applications.","status":"abandoned","version":"0.0.1","language":"javascript","source_language":"en","source_url":"git@github.com:DeadAlready/node-esapi","tags":["javascript","html","xss","encoding"],"install":[{"cmd":"npm install node-esapi","lang":"bash","label":"npm"},{"cmd":"yarn add node-esapi","lang":"bash","label":"yarn"},{"cmd":"pnpm add node-esapi","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Required only if utilizing the optional `ESAPI.middleware()` function to serve client-side ESAPI scripts.","package":"express","optional":true}],"imports":[{"note":"This package is CommonJS-only and does not support ES Modules syntax like `import`.","wrong":"import ESAPI from 'node-esapi';","symbol":"ESAPI","correct":"const ESAPI = require('node-esapi');"},{"note":"The `encoder()` function is a method on the main ESAPI object, not a direct export.","wrong":"const encoder = require('node-esapi').encoder();","symbol":"encoder","correct":"const encoder = ESAPI.encoder();"},{"note":"The middleware function is designed for Express.js and is a method of the main ESAPI object.","wrong":"app.use(require('node-esapi').middleware());","symbol":"middleware","correct":"app.use(ESAPI.middleware());"}],"quickstart":{"code":"const ESAPI = require('node-esapi');\n\n// Get an encoder instance\nconst encoder = ESAPI.encoder();\n\n// Example of HTML encoding\nconst userInput = '<script>alert(\"XSS!\")</script>';\nconst encodedHTML = encoder.encodeForHTML(userInput);\nconsole.log('Encoded for HTML:', encodedHTML);\n\n// Example of JavaScript encoding\nconst jsInput = \"hello' + world\";\nconst encodedJS = encoder.encodeForJS(jsInput);\nconsole.log('Encoded for JavaScript:', encodedJS);\n\n// Example of URL encoding\nconst urlInput = 'http://example.com?param=value with spaces';\nconst encodedURL = encoder.encodeForURL(urlInput);\nconsole.log('Encoded for URL:', encodedURL);","lang":"javascript","description":"Demonstrates basic usage of the ESAPI encoder to mitigate common injection vulnerabilities by encoding input for different contexts like HTML, JavaScript, and URLs."},"warnings":[{"fix":"Avoid using this package for production systems. Consider actively maintained security libraries or framework-provided encoding utilities.","message":"This package is at version 0.0.1 and has not been updated since approximately 2014. It is not considered stable or production-ready, and its APIs are subject to change without notice if development were to resume.","severity":"breaking","affected_versions":">=0.0.1"},{"fix":"Modern web security relies on contextual encoding specific to the output destination (e.g., using safe templating engines or framework-provided sanitization). Do not use this package for new development.","message":"The OWASP ESAPI project, while historically significant, has evolved. This `node-esapi` port is based on an older version of ESAPI4JS and is no longer maintained. Relying on an unmaintained security library can introduce vulnerabilities rather than prevent them.","severity":"gotcha","affected_versions":">=0.0.1"},{"fix":"Use `const ESAPI = require('node-esapi');` for all imports.","message":"This package is CommonJS-only (`require`). Attempting to import it using ES Modules syntax (`import ESAPI from 'node-esapi'`) will result in a runtime error because it does not provide an `exports` field or an ES Module entry point.","severity":"gotcha","affected_versions":">=0.0.1"},{"fix":"If using the middleware, ensure its endpoint (`/esapi/*`) is properly secured, rate-limited, and its use case carefully evaluated. Consider if serving static files directly is more appropriate or if these client-side scripts are even necessary.","message":"The middleware function `ESAPI.middleware()` is designed for Express.js and serves client-side ESAPI scripts. If not explicitly protected, exposing client-side security scripts via a simple middleware could introduce information disclosure risks or be misused in certain contexts.","severity":"gotcha","affected_versions":">=0.0.1"}],"env_vars":null,"last_verified":"2026-04-19T00:00:00.000Z","next_check":"2026-07-18T00:00:00.000Z","problems":[{"fix":"Ensure `const ESAPI = require('node-esapi');` is at the top of your file. If using ES Modules, consider using a CommonJS-to-ESM wrapper or finding an alternative, actively maintained library.","cause":"Attempting to use the `ESAPI` object before it has been properly `require`d or attempting to use it in an ES Module context without conversion.","error":"ReferenceError: ESAPI is not defined"},{"fix":"Correct usage is `const encoder = ESAPI.encoder();` then use `encoder.encodeForHTML(...)`.","cause":"The `ESAPI` object itself is not callable as a function. The `encoder()` method must be called on the main `ESAPI` object to get an encoder instance.","error":"TypeError: ESAPI.encoder is not a function"}],"ecosystem":"npm"}