[Security] Documentation on the secure usage of Semantic-UI

Semantic-Org / Semantic-UI

Semantic is a UI component framework based around useful principles from natural language.

http://www.semantic-ui.com

MIT License

51.11k stars 4.94k forks source link

[Security] Documentation on the secure usage of Semantic-UI #6570

Open dreaming-augustin opened 6 years ago

dreaming-augustin commented 6 years ago

It would be nice to have a whole section dedicated to security on the Semantic-UI web site, and for each module, a sub-section on the secure use of that particular module.

Currently, some code samples provided in the Semantic-UI documentation are inherently unsecure.

I searched but couldn't find any mention of 'security' in the official documentation, nor anything about potential pitfalls when using some Semantic-UI modules when one does not pay attention to sanitize user input.

y0hami commented 6 years ago

@dreaming-augustin Please could you elaborate on how data-text is "insecure"

dreaming-augustin commented 6 years ago

@hammy2899 See the fiddle in the linked issue dedicated to data-text: [Dropdown] Security Vulnerability with data-text #5376

dreaming-augustin commented 6 years ago

This issue is more for a meta discussion on:

developing security awareness,
promoting a secure usage of Semantic-UI,
starting to cover security aspects in the documentation.
maybe consider providing javascript escape functions for users, and probably Semantic-UI itself, to use to conveniently sanitize user data.

dreaming-augustin commented 6 years ago

The following issue was closed by the stale bot and should be reopened: XSS issue in semantic dropdown. #4498

dreaming-augustin commented 6 years ago

The following issue was closed by the stale bot and should be reopened: Content Security Policy #3119

dreaming-augustin commented 6 years ago

Checklist:

All code in the documentation should be safe by default, and promote safe coding standards. Security should not be an afterthought, but practised diligently from the very first step.
Mention of security should be included throughout the documentation, wherever appropriate, using a consistent styling so that it can be easily identified as such.
Each module should have a "Security" tab where attack vectors and prevention can be extensively covered. For example, the search module https://semantic-ui.com/modules/search.html should have a fifth tab called Security beside the existing Definition, Examples, Usage and Settings.
Use user feedback and PR to progressively enhance and complete the coverage of this important topic.
link to notable and authoritative web sites like https://www.owasp.org/ and specific pages or sections thereof to incite users to gain broader knowledge of related security issues.

lubber-de commented 5 years ago

We implemented data sanitizing and added a security page to the docs https://fomantic-ui.com/modules/search.html#/security https://fomantic-ui.com/modules/dropdown.html#/security

dreaming-augustin commented 5 years ago

@lubber-de What you did is great! Thank you very much for taking the time to implement my main suggestions for documentation. I am very happy that Fomantic is making such progress and taking security issues seriously. Many thanks to the whole team.