big-list-of-naughty-strings
eslint-plugin-no-unsanitized
Our great sponsors
big-list-of-naughty-strings | eslint-plugin-no-unsanitized | |
---|---|---|
41 | 2 | |
45,851 | 215 | |
- | 1.9% | |
0.0 | 4.6 | |
10 days ago | 5 days ago | |
Python | JavaScript | |
MIT License | Mozilla Public License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
big-list-of-naughty-strings
- What's that touchscreen in my room?
-
Horrib
Related: https://github.com/minimaxir/big-list-of-naughty-strings
The Big List of Naughty Strings is a list of strings which have a high probability of causing issues when used as user-input data.
- The Big List of Naughty Strings
-
Super sorry to the guy with the username reset on GitHub
Sounds like we need to use the Big List Of Naughty Strings to weed out troublesome usernames...
https://github.com/minimaxir/big-list-of-naughty-strings
- API Security Testing
-
Discussion Thread
oh boy oh boy https://github.com/minimaxir/big-list-of-naughty-strings
-
100+ Must Know Github Repositories For Any Programmer
2. Big List of Naughty Strings
- A Summary of Fuzzing Tools and Dictionaries For Bug Bounty Hunters
- Damned dirty input
eslint-plugin-no-unsanitized
-
Escaping user input is ridonkulously hard
Prevent any uses of setting innerHTML or similar functions e.g. via an eslint plugin.
-
HTML Sanitizer API
Great point!
It wanted to edit the comment to change (1) to (server/client) but I passed my edit timeout.
I would include your (5) within (1). `textContent` and other DOM methods like `setAttribute` are effectively secure output-escaping on the client.
Your (5a) is an excellent extra measure. In this area, I'd also add security-focused linting for (1) and (5)–e.g. for (5), to ensure secure DOM methods are used, I use Mozilla's `eslint-plugin-no-unsanitized`[0] plugin for all my personal & work projects.
[0] https://github.com/mozilla/eslint-plugin-no-unsanitized/
What are some alternatives?
SecLists - SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
java-html-sanitizer - Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.
CheatSheetSeries - The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
content - The content behind MDN Web Docs
ms-teams-rce
You-Dont-Need-Lodash-Underscore - List of JavaScript methods which you can use natively + ESLint Plugin
javascript-questions - A long list of (advanced) JavaScript questions, and their explanations :sparkles:
XO - ❤️ JavaScript/TypeScript linter (ESLint wrapper) with great defaults
bluemonday - bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS
33-js-concepts - 📜 33 JavaScript concepts every developer should know.
WSL - Issues found on WSL