Skip to content
This repository was archived by the owner on Apr 6, 2021. It is now read-only.

Commit 69cfbe0

Browse files
kwwallkwwall
committed
Add comments about deprecation.
1 parent 28b2767 commit 69cfbe0

File tree

1 file changed

+25
-6
lines changed

1 file changed

+25
-6
lines changed

README.md

Lines changed: 25 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,25 +1,44 @@
1-
# OWASP Enterprise Security API (ESAPI)
1+
# DEPRECATED - OWASP Enterprise Security API for JavaScript (ESAPI-JS)
22

3-
[![Build Status](https://travis-ci.org/ESAPI/owasp-esapi-js.svg?branch=master)](https://travis-ci.org/ESAPI/owasp-esapi-js)
3+
[![No Maintenance Intended](http://unmaintained.tech/badge.svg)](http://unmaintained.tech/)
44

55
This file is part of the Open Web Application Security Project (OWASP)
66
Enterprise Security API (ESAPI) project. For details, please see
7-
http://www.owasp.org/index.php/ESAPI.
7+
[https://owasp.org/www-project-enterprise-security-api/](https://owasp.org/www-project-enterprise-security-api/).
88

99
Copyright (c) 2008 - The OWASP Foundation
1010

1111
The ESAPI is published by OWASP under the BSD license. You should read and accept the
1212
LICENSE before you use, modify, and/or redistribute this software.
1313

14-
ESAPI
1514

16-
## Installation
15+
## WARNING: This project is deprecated and unmaintainted. Use at your own risk.
16+
This project is no longer supported. It is known to be potentially affected by a
17+
vulnerability in 'bower' (specifically, CVE-2019-5484). This vulnerability could
18+
be addressed by upgrading ESAPI-JS to use bower 1.8.8 or later, however this has
19+
been tried and resulted in deployment problems when using NPM. See the ensuing
20+
discussion for [PR#29](https://github.com/ESAPI/owasp-esapi-js/pull/29) for
21+
details.
22+
23+
### Potential Alternatives to ESAPI-JS (aka, ESAPI4JS)
24+
* [node-esapi](https://github.com/ESAPI/node-esapi/) - a minimal port of ESAPI-JS' output encoder
25+
that does not depend on bower and as of this writing (2021-03-30), has no
26+
known vulnerabilities. It does not include the validator or other portions of ESAPI-JS.
27+
* [DOMPurify](https://github.com/cure53/DOMPurify/) - a DOM-only, XSS sanitizer for HTML, MathML, and SVG.
28+
* Lots of additional alternatives if your project is not pure JavaScript.
29+
30+
### Looking for Maintainers
31+
If you would like to support project, please contact one or both of the ESAPI project
32+
leaders listed on the [OWASP ESAPI wiki page](https://owasp.org/www-project-enterprise-security-api/).
33+
They can unarchive it for you.
34+
35+
## Installation Instructions
1736

1837
```
1938
$ npm install --save-dev ESAPI-JS
2039
```
2140

22-
Installation:
41+
### Installation:
2342
1. Download the distribution zip from http://owasp-esapi-js.googlecode.com
2443
2. Unzip the distribution zip
2544
3. Create a directory on your server, under the web root called esapi4js

0 commit comments

Comments
 (0)