Comments (6)
satyavh
commented on August 20, 2024
I think the problem is, no backend serves the dapp, so we can't really include CSRF protection. That means, the client can never be trusted. And so we need to secure Feathers models and services. Already made a story for that in the feathers repro.
I'm really curious how Dapps are solving this issue. Actually blockchain could be really good for this, as a CSRF token is some kind of transaction based on trust.
from giveth-dapp.
ewingrj
commented on August 20, 2024
add sanitizing to feathers for all data
from giveth-dapp.
ewingrj
commented on August 20, 2024
okay, so react will sanitize anything unless we use dangerourslySetHtml, which we do for the dacs/campaigns/milestone descriptions field as we are using QuillJS.
from giveth-dapp.
vojtechsimetka
commented on August 20, 2024
Still the case in ViewCampaign, ViewDAC and ViewMilestone. Moving back to backlog (we really should solve this)
from giveth-dapp.
satyavh
commented on August 20, 2024
Ok so what exactly should we still solve here?
We cannot sanitize on the client, it can never ever be trusted. If we've implemented sanitizing on feathers, that should do it.
This dangerourslySetHtml is kind of (Facebook) bullshit if you know the source of the data (it just sets innerHtml but Facebook wants to own the web and thought it funny to name it differently).
We know the data always comes from Feathers and is sanitized already. And if by some hack attack that data doesn't come from Feathers, then still QuillJS is as far as I tried incapible of executing JS. And even if that would be hacked, then if the user saves it will be sanitized in Feathers again.
:-)
from giveth-dapp.
vojtechsimetka
commented on August 20, 2024
Good enough for me, I tried to do some injections but could not.
from giveth-dapp.
Related Issues (20)
- Cannot archive my trace
- Remove Create Campaign Button from Trace HOT 1
- Apply security fixes
- Cannot scroll down in Traces HOT 3
- Netlify Build Issue HOT 1
- Can't pay people :-( HOT 6
- IPFS security issue
- TRACE - message for connecting to dapp HOT 1
- TRACE - no fees banner HOT 1
- I can't submit my trace HOT 1
- Add trace object upload support to backend HOT 1
- Giveth Trace Bug HOT 1
- Trace page does not load HOT 1
- Cannot connect with Giveth Trace HOT 2
- Reduce minimum for Trace withdrawal to $50 HOT 2
- Transaction Stuck on Trace, blocking payments for CS HOT 1
- Donate buttons broken on Giveth House page
- Make frontend ready for sunset
- package.json
- Frontend slow in rendering all projects view
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from giveth-dapp.