javascript-security
Safeguard articles tagged "javascript-security" — guides, analysis, and best practices for software supply chain and application security.
34 articles
CVE-2020-11023: XSS in jQuery option/script tag handling
CVE-2020-11023 let untrusted HTML with option tags bypass sanitization in jQuery's DOM methods, enabling XSS. Here's the fix, timeline, and remediation.
CVE-2018-1000620: ReDoS in marked markdown parser
A ReDoS flaw in the marked Markdown parser (CVE-2018-1000620) let crafted input stall Node.js services. Here's the impact, fix, and how to catch it in your dependency tree.
CVE-2022-21681: Second ReDoS flaw in marked
CVE-2022-21681 is a ReDoS flaw in marked's inline tokenizer that lets crafted Markdown hang parsing. What's affected, severity, and how to remediate.
DOM-Based XSS: Finding and Fixing Client-Side Injection
DOM XSS never touches your server, so response scanners miss it. Here is how to trace sources to sinks in client code and shut the flaw down.
Dependency Injection in JavaScript: Security Notes
Dependency injection in JavaScript makes code testable and modular, but the same indirection that helps design can hide security bugs if you're not careful about what gets injected.
jQuery 3.7.1 Vulnerabilities: What Actually Changed From Earlier Releases
jQuery 3.7.1 vulnerabilities are mostly inherited history, not new CVEs — the real security story is what changed across 3.4, 3.5, and 3.7.
Lodash 4.17.21: The Security History Behind the Version Bump
Lodash 4.17.21 closed a ReDoS path in its number-parsing helpers and a command-injection risk in its templating function — here's the security history that led up to it.
CVE-2011-4969: The jQuery XSS Bug, a Decade Later
CVE-2011-4969 is a cross-site scripting flaw in jQuery versions before 1.6.3, triggered by unsanitized attribute-selector input — it's a small, old bug, but the reasons it lingered in codebases for years are still relevant.
jQuery 3.5.1 Vulnerabilities: What Was Actually Fixed
jQuery 3.5.1 closed a second cross-site scripting hole in the htmlPrefilter regex that 3.5.0 had only partially patched — here's exactly what changed and why old jQuery bundles still trip scanners.
Electron ContextBridge Security: Building Safe Desktop Apps
Electron's ContextBridge is the secure boundary between web content and Node.js APIs. This guide covers how to use it correctly, common mistakes that create RCE vulnerabilities, and security best practices for Electron applications.