cure53 / mustache-security Goto Github PK
View Code? Open in Web Editor NEWAutomatically exported from code.google.com/p/mustache-security
mustache-security's People
Stargazers
Watchers
mustache-security's Issues
React security audit
Hey,
I've just stumbled upon your security audits and they are very well done. I was
wondering if you would be interested in auditing the web framework I'm working
on: React.
Website: http://facebook.github.io/react/
Where to report issues: https://www.facebook.com/whitehat
Source: http://fb.me/react-0.5.1.js
React is a different beast than all the other frameworks you evaluated and I
hope that you will find interesting ways to attack it :)
Some random information:
- React is CSP compliant without any modification.
- The weakest point we know about is the `style` attribute. It doesn't have a proper parser and may be an XSS vector. However, we been able to come up with any working attack.
- React is heavily being used at Facebook and Instagram, so any vulnerability found is likely to be rewarded in the Whitehat program.
Original issue reported on code.google.com by vjeuxx on 12 Nov 2013 at 6:31
Template engine criteria should include secure default for anti-XSS
One thing I came across, that has actually gotten much better, is what the
secure defaults were for various client-side templating engines regarding XSS.
HTML encode-by-default should probably be the standard since most cases should
not need to render markup as markup.
For example, on the .Net side, Razor templates are significantly more secure by
default than Webforms against XSS since Razor HTML encodes by default where it
takes using special syntax in Webforms to do this.
Looking at the client-side engines, I recall seeing that underscore.js had no
HTML encoding in the default usage. Similarly, JsRender did not html encode by
default and required special syntax to trigger it, which is very prone to
developer error and very hard to ensure everything is encoded properly
(especially when 99% of your template substitutions should not generally need
to render HTML as HTML -- it's Simon Says security, which is not very secure).
Most of the other templating engines that I recall were secure by default.
This should probably be one of the key criteria in evaluating the ongoing
security offered by each platform.
Great work so far!
-Jason
Original issue reported on code.google.com by [email protected] on 10 Dec 2013 at 4:36
Describe bypasses for AngularJS <1.2.19 / <1.3.0-beta.14.
Describe bypasses for AngularJS <1.2.19 / <1.3.0-beta.14.
Original issue reported on code.google.com by [email protected] on 10 Jul 2014 at 6:39
Attachments:
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.