Safeguard
Tag

javascript-security

Safeguard articles tagged "javascript-security" — guides, analysis, and best practices for software supply chain and application security.

34 articles

Vulnerability Analysis

CVE-2020-11023: XSS in jQuery option/script tag handling

CVE-2020-11023 let untrusted HTML with option tags bypass sanitization in jQuery's DOM methods, enabling XSS. Here's the fix, timeline, and remediation.

Oct 15, 20258 min read
Vulnerability Analysis

CVE-2018-1000620: ReDoS in marked markdown parser

A ReDoS flaw in the marked Markdown parser (CVE-2018-1000620) let crafted input stall Node.js services. Here's the impact, fix, and how to catch it in your dependency tree.

Oct 14, 20258 min read
Vulnerability Analysis

CVE-2022-21681: Second ReDoS flaw in marked

CVE-2022-21681 is a ReDoS flaw in marked's inline tokenizer that lets crafted Markdown hang parsing. What's affected, severity, and how to remediate.

Oct 13, 20256 min read
Vulnerabilities

DOM-Based XSS: Finding and Fixing Client-Side Injection

DOM XSS never touches your server, so response scanners miss it. Here is how to trace sources to sinks in client code and shut the flaw down.

Aug 14, 20255 min read
Dev Practices

Dependency Injection in JavaScript: Security Notes

Dependency injection in JavaScript makes code testable and modular, but the same indirection that helps design can hide security bugs if you're not careful about what gets injected.

May 14, 20256 min read
Vulnerabilities

jQuery 3.7.1 Vulnerabilities: What Actually Changed From Earlier Releases

jQuery 3.7.1 vulnerabilities are mostly inherited history, not new CVEs — the real security story is what changed across 3.4, 3.5, and 3.7.

Mar 11, 20255 min read
Vulnerabilities

Lodash 4.17.21: The Security History Behind the Version Bump

Lodash 4.17.21 closed a ReDoS path in its number-parsing helpers and a command-injection risk in its templating function — here's the security history that led up to it.

Feb 11, 20255 min read
Vulnerabilities

CVE-2011-4969: The jQuery XSS Bug, a Decade Later

CVE-2011-4969 is a cross-site scripting flaw in jQuery versions before 1.6.3, triggered by unsanitized attribute-selector input — it's a small, old bug, but the reasons it lingered in codebases for years are still relevant.

Nov 19, 20245 min read
Vulnerabilities

jQuery 3.5.1 Vulnerabilities: What Was Actually Fixed

jQuery 3.5.1 closed a second cross-site scripting hole in the htmlPrefilter regex that 3.5.0 had only partially patched — here's exactly what changed and why old jQuery bundles still trip scanners.

Mar 14, 20245 min read
Application Security

Electron ContextBridge Security: Building Safe Desktop Apps

Electron's ContextBridge is the secure boundary between web content and Node.js APIs. This guide covers how to use it correctly, common mistakes that create RCE vulnerabilities, and security best practices for Electron applications.

Jul 5, 20236 min read
javascript-security (Page 3) — Safeguard Blog