02:03 XSS Keylogger, GitHub 11:14 DOMPurify 13:42 Avoiding XSS in React 14:32 ReactHtMLParser 19:57 Ron Parris, Avoiding XSS in React is still Hard 25:00 Secure Coding Guidelines, eslint-plugin-react 29:28 97% of code in modern web app, third party dependencies, npm, the average npm module relies on 80 packages, 40% relies on known vulnerable code, handelbars 37:55 continuous monitoring, dependency graph, gitHub, snyk 39:53 Equifax, securing dependencies 44:00 Ron Parris, Lewis Ardern
Very interesting especially the part on the dependencies vulnerability that is important but imo this concerns mostly the back end. I never understood why we should bother securing front end (or spending lot of time on it) when any one can dl your app, study it and modify it.. The real part to secure is the back end !
02:03 XSS Keylogger, GitHub 11:14 DOMPurify 13:42 Avoiding XSS in React 14:32 ReactHtMLParser 19:57 Ron Parris, Avoiding XSS in React is still Hard 25:00 Secure Coding Guidelines, eslint-plugin-react 29:28 97% of code in modern web app, third party dependencies, npm, the average npm module relies on 80 packages, 40% relies on known vulnerable code, handelbars 37:55 continuous monitoring, dependency graph, gitHub, snyk 39:53 Equifax, securing dependencies 44:00 Ron Parris, Lewis Ardern
to summarize this 44 minutes in 1 line: dont use innerHTML but if u do use DOMPurify.
Very interesting especially the part on the dependencies vulnerability that is important but imo this concerns mostly the back end. I never understood why we should bother securing front end (or spending lot of time on it) when any one can dl your app, study it and modify it.. The real part to secure is the back end !
German Beto O’Rourke?
Can’t unsee it
No need for DOM Purify just render it into a sandboxed . No problems