Skip to content
Permalink
master
Switch branches/tags
Go to file
 
 
Cannot retrieve contributors at this time

XSS mitigation bypasses via script gadgets in JS frameworks

Framework / Library CSP whitelists CSP nonces CSP unsafe-eval CSP strict-dynamic Chrome XSS Auditor EDGE XSS filter NoScript XSS Filter 5.0.2 DOMPurify 0.8.7 Google Closure HTML sanitizer (2017-05-01) ModSecurity OWASP CRS 3.0.0
Vue.js 2.3.0 (u-e)
Aurelia (2017-03-21)
Angular 1.6.1
Polymer 1.7.1 - (<template) - (<template)
Underscore 1.8.3 / backbone -
Knockout 3.4.1 (u-e) - (data- or comments)
jQuery Mobile 1.4.5 - -
Ember.js 2.10.2 - - (dev) (dev)
React - -
Closure - (<a.*)
Ractive 0.8.1 - ({{}} uses eval) - (<script) - (script node) - (script) - (script) - (script)
Dojo 1.12.2 - (data-)
Requirejs 2.3.2 - (<script)
jQuery 3.1.1 - - - (<script)
jQuery UI 1.12.1 - -
Bootstrap 3.3.7 - (HTML in HTML attr)