|22 days ago||3 days ago|
|GNU General Public License v3.0 or later||GNU General Public License v3.0 or later|
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Storing user input html in a database for others users to see
1 project | reddit.com/r/webdev | 29 Nov 2021
Searching for XSS specifically actually comes up with a few - https://www.npmjs.com/package/xss looks solid. I was being to literal in my search! Should have tried bing.
Browser extension - Integrate your features securely
2 projects | dev.to | 16 Feb 2021
There are a few libraries you can use to protect from xss. For instance the xss library on npm.
How to allow custom entered HTML in item description, but make sure no JS gets entered?
1 project | reddit.com/r/webdev | 2 Jan 2022
You can use an input sanitizer. I'd use something like DOMPurify if you don't want to write the sanitizer yourself. But yeah you should not allow or remove a certain tags like script and img.
How to choose a third party package
6 projects | dev.to | 4 Dec 2021
As mentioned in Fit your need, many packages try to solve a general problem (thus the size of the package is large). You may only need a small part of the package. Sometimes, your problem is unique and there are no existing third party packages out there that solve it. In those cases, it's a great time for you to do it yourself. I found myself in the early days in the industry spending much time finding a third party package to help me build features. But over time, I more rarely used external packages for my daily tasks. It doesn't mean that I always reinvent the wheel. It means that I know what I am doing and I can seek help from the community when I truly need to (for example I will never sanitize user input by myself, but use DOMPurify)
Vital Tips to Help You Create a Secure React Web Application
1 project | dev.to | 19 Nov 2021
You will always want to convert untrusted values provided by external users into trusted values, and you can do so by using the DOMPurify library.
Converting HTML element inside string in blazor at "runtime"
1 project | reddit.com/r/dotnet | 31 Oct 2021
If you must display arbitrary HTML, consider using an IFrame to sandbox the code. At least try to sanitize it: https://github.com/cure53/DOMPurify
VSCode built with jQuery?
2 projects | reddit.com/r/vscode | 17 Oct 2021
EIGHT SECURITY TIPS TO PREVENT YOUR WEB APPLICATION FROM BEING HACKED
1 project | dev.to | 24 Sep 2021
How To Parse and Render Markdown In Vuejs
6 projects | dev.to | 26 Aug 2021
Vue does not have as much support for Vue as there is for React. Examples are markdown-it, Remark.js, marked.js. But hopefully in the future, there should be more support, and after much research, I picked marked.js because it has the most stars and has zero vulnerability. Marked does not sanitize (meaning it does not secure HTML documents from attacks like cross-site scripting (XSS) ) marked output HTML as that feature is deprecated and has vulnerability but however, it supports the use of other libraries to secure output HTML such as DOMPurify (recommended), sanitize-html or insane.
Include HTML-in-HTML: an iteration
1 project | dev.to | 9 Aug 2021
We use DOMPurify, a widely used and battle-tested solution for HTML sanitization.
When You Get Right Down to It, Most Security Is Based on The Honor System
1 project | reddit.com/r/programming | 5 Aug 2021
There is DOMPurify: https://github.com/cure53/DOMPurify
A contentEditable, pasted garbage and caret placement walk into a pub
2 projects | news.ycombinator.com | 23 Jul 2021
I would highly recommend using DOMPurify over sanitize-html. It is a lot smaller in bundle size, it is also well maintained: https://github.com/cure53/DOMPurify
The author mentions to build their own sanitizer, which I would recommend against. Maybe for this use case (extracting a few b tags), it’d be fine, but as soon as links are involved: please stand on the shoulder of giants in order to prevent XSS.
What are some alternatives?
sanitize-html - Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis. Built on htmlparser2 for speed and tolerance
Themis - Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.
prosemirror-schema-basic - Basic schema elements for ProseMirror
trivy - Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues
Thymeleaf - Thymeleaf is a modern server-side Java template engine for both web and standalone environments.
SuperTokens Community - Open source alternative to Auth0 / Firebase Auth / AWS Cognito