Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create SECURITY.md #664

Merged
merged 3 commits into from Apr 23, 2022
Merged

Create SECURITY.md #664

merged 3 commits into from Apr 23, 2022

Conversation

netcode
Copy link
Contributor

@netcode netcode commented Apr 10, 2022

Adding a basic security policy. Highly inspired by ExpressJS security policy.

Highly inspired by ExpressJS security policy.
@mde
Copy link
Owner

@mde mde commented Apr 11, 2022

Could you please add a statement similar to the following?

"If you give end-users unfettered access to the EJS render method, you are using EJS in an inherently un-secure way. Please do not report security issues that stem from doing that. EJS is effectively a JavaScript runtime. Its entire job is to execute JavaScript. If you run the EJS render method without checking the inputs yourself, you are responsible for the results."

I ask this because we get a ton of supposed security issues that stem from people assuming the render method should be secure. It is not, and nor should it be.

netcode added 2 commits Apr 13, 2022
Update the readme to add the security note
@netcode
Copy link
Contributor Author

@netcode netcode commented Apr 23, 2022

Done, I added this note in the security.md & the readme.md

@mde mde merged commit 66f7471 into mde:main Apr 23, 2022
@mde
Copy link
Owner

@mde mde commented Apr 23, 2022

This is awesome, thank you so much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants