sanitizeHref()
URL allow-list (http/https/mailto/tel). Blocks javascript: and data:
URI XSS at the prop boundary.
tekivex-ui ships with a security kernel — SecurityCore — that runs on
every component prop where untrusted data could leak. It’s not a plugin or
an opt-in middleware. It’s the default.
sanitizeHref()
URL allow-list (http/https/mailto/tel). Blocks javascript: and data:
URI XSS at the prop boundary.
sanitizeUnicode()
Strips homoglyph + bidi-override attacks (CVE-2021-42574). Cyrillic ‘а’ masquerading as Latin ‘a’ gets caught.
scrubPII()
Redacts emails, phone numbers, SSNs, credit cards before they hit your logs or analytics.
createRateLimiter()
Token-bucket implementation for client-side abuse prevention.
Trusted Types installer
One-line CSP hardening for the highest browser-level XSS protection.
Zero runtime deps
SecurityCore has no production dependencies. Smaller supply-chain surface, no transitive CVE exposure.
Every primitive is exported from tekivex-ui:
import { sanitizeHref, sanitizeUnicode, scrubPII, createRateLimiter, installTrustedTypes, installFrameBuster,} from 'tekivex-ui';
// Sanitise a user-supplied URL before rendering it<a href={sanitizeHref(userUrl)}>{label}</a>
// Strip log lines of identifying infoconsole.log(scrubPII(`User ${email} from ${ipAddress} signed in.`));// ^- rendered as: User [redacted-email] from … signed in.
// Rate-limit a button to 5 clicks per secondconst limiter = createRateLimiter({ tokens: 5, refillPerSecond: 5 });function handleSubmit() { if (!limiter.tryAcquire()) return; // …}The same kernel ships as tekivex-security-core — framework-agnostic,
usable in Node services, Deno edge functions, anywhere JS runs.
npm install tekivex-security-coreSee the Ecosystem page for the full feature list.
tekivex-audit is a static-analysis CLI that catches the patterns
SecurityCore can’t see at runtime — dangerouslySetInnerHTML without
DOMPurify, missing rel="noopener", hardcoded API keys. Run it once:
npx tekivex-audit .It found 9 errors and 67 warnings on the demo site itself the first time we ran it.