Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
@koto koto Fixed URL. b8afa02 May 7, 2017
1 contributor

Users who have contributed to this file

21 lines (19 sloc) 9.44 KB

XSS mitigation bypasses via script gadgets in JS frameworks

Framework / Library CSP whitelists CSP nonces CSP unsafe-eval CSP strict-dynamic Chrome XSS Auditor EDGE XSS filter NoScript XSS Filter 5.0.2 DOMPurify 0.8.7 Google Closure HTML sanitizer (2017-05-01) ModSecurity OWASP CRS 3.0.0
Vue.js 2.3.0 (u-e)
Aurelia (2017-03-21)
Angular 1.6.1
Polymer 1.7.1 - (<template) - (<template)
Underscore 1.8.3 / backbone -
Knockout 3.4.1 (u-e) - (data- or comments)
jQuery Mobile 1.4.5 - -
Ember.js 2.10.2 - - (dev) (dev)
React - -
Closure - (<a.*)
Ractive 0.8.1 - ({{}} uses eval) - (<script) - (script node) - (script) - (script) - (script)
Dojo 1.12.2 - (data-)
Requirejs 2.3.2 - (<script)
jQuery 3.1.1 - - - (<script)
jQuery UI 1.12.1 - -
Bootstrap 3.3.7 - (HTML in HTML attr)
You can’t perform that action at this time.