Comments (12)
What is the threat?
from alumni-network.
@firgon000 I don't know a whole lot about XSS, but @Bigghead mentioned it to me early on in this process. I would think people attempting to write scripts in our text areas where there is actually some room - bio, mentorship bio, etc.
Not sure what could actually be accomplished if someone did...
from alumni-network.
Looking for @Bigghead's expertise on this one.
from alumni-network.
I've used something simple like express-sanitizer to get rid of script tags on the server.
Some of the things people can easily do with XSS:
- On the more harmless side, somebody can just write a setInterval alert script on a page, making it super annoying to load/unusable.
Or
- A user writes a window.open script that will automatically redirect to a malicious site on page load. Imagine if they got this script saved in their profile page's DB. Everybody that visits their profile gets redirected to a new site.
from alumni-network.
Or Helmet.js.
from alumni-network.
@Bigghead @no-stack-dub-sack I think React helps sanitize input for us? Like I don't care what script you write in any of our inputs, but it will just show up as that string of text later on...? Try it out on the live demo app if you can window.open
anything then we'll need to take a second look. I just tried a few things myself, nothing. Did find another chat bug tho. 😭 💀
from alumni-network.
FCC Alumni Network CISO: Shav "Big Head" Parta
from alumni-network.
lolz
from alumni-network.
@bonham000 is right, I just read React helps prevents XSS, as they automatically escape certain html strings in inputs.
from alumni-network.
React 👑
from alumni-network.
React is freakin awesome. That window.open trick broke my voting app the first time.
I don't think we should worry about XSS injections too much (at all) with this app
from alumni-network.
MEEN Stack?
from alumni-network.
Related Issues (20)
- add all users to gitter channel before redeploying with Gitter embed HOT 3
- remove chat infrastructure from app HOT 2
- Create test suite HOT 18
- Add automated updates and regression checker for NPM packages via Greenkeeper HOT 4
- CRITICAL: api exposes private data HOT 1
- remove yarn.lock file from codebase
- Does this project have a license? HOT 4
- Front page issue! HOT 5
- Create new API endpoint to collect all "projects" data
- Add tags to already added repos, provide way to add tags to newly added projects HOT 2
- Create Collaboration/Project Search view
- Implement routing for Collaboration tab
- fix docker setup script to be cross-platform friendly HOT 3
- Type on Home Page HOT 6
- Home page improvements? HOT 1
- closed issues that are still good ideas if we ever pick up steam issue
- Update to CircleCI 2.0 by Aug. 2018
- New certs need to be added
- New FCC stats fetching needs to be written
- HEROKU DELETED MY ACCOUNT SO SERVER IS DOWN...
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from alumni-network.