Copy the text below, paste it into an email, and send to web_cms_support@epa.gov. __________________________________________________________________ # JavaScript Program Security Checklist and Deployment Request Date: Date deployment required: Allow a minimum of one week for review, scanning, approval, and deployment. Script name(s): Federal Owner: Phone: Email: Drupal WebCMS Username: Programmer: Phone: Email: Drupal WebCMS Username: ## Requirements for JavaScript Security (The rationale for these items is contained in the Required Readings below) Yes__ No__ 1. This code passes JSLint or JSHint with *no warnings*. Yes__ No__ 2. Never pass unverified user-supplied data to the application. Yes__ No__ 3. Never write files to the Drupal WebCMS server. Yes__ No__ 4. Always write programs in pure JavaScript, e.g., no CoffeeScript. Yes__ No__ 5. Always make pathnames root-relative, e.g., /sites/production/files/2014-10/image.png Yes__ No__ 6. No files accessed by the program should have execute privileges set for the owner, group, or other. Yes__ No__ 7. Does your script utilize cookies? Yes__ No__ 8. Always make sure your files can be compressed and stripped of whitespace and comments. We will only upload minified versions. Yes__ No__ 9. Provide reviewers the ability to run the script interactively. This will allow a more complete study of the security issues. Yes__ No__ 10. Make sure the Drupal WebCMS is safe against SQL Injection. Yes__ No__ 11. Make sure the Drupal WebCMS is safe against Cross-site Scripting Attacks. Yes__ No__ 12. Your code does not duplicate functionality already provided by existing JS files and libraries. ## Required Reading These articles about JavaScript are considered required reading. Yes__ No__ [Code Conventions for the JavaScript Programming Language](http://javascript.crockford.com/code.html) Yes__ No__ [JS Hint](http://jshint.com/) Yes__ No__ [Superhero.js](http://superherojs.com/) Yes__ No__ [MDN: JavaScript](https://developer.mozilla.org/en-US/docs/Web/JavaScript) ### URL of articles/books reviewed (in addition to the above): ## Certification I certify that I have checked my JavaScript against this checklist, and that it complies with these rules. I further certify that I have carefully read the "required reading" articles and that I have reviewed one or more articles on this subject on the Web. I understand the need for JavaScript security, and I will ensure that my scripts are in full compliance at all times, to the best of my ability. It should be noted that exploitation of JavaScript has been identified as a significant security risk. Applications containing significant numbers of and/or highly complex JavaScript files will need to review their files yearly. This request form was last updated 14 July 2017.