Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
Contents:
Table of Contents
Section | ||
---|---|---|
| ||
Angular dynamic componentEmbedded in our JavaScript support, this release includes an Angular framework to check for dynamic components and the ability to parse JSX. The underlying vulnerability from using dynamic component construction is not different from other "eval injection" issues, review CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'). It is well-known as an insecure practice, from a security overview (Client-side template injection), and in particular, for Angular, review The Security Angle on Angular. |
Section | ||
---|---|---|
| ||
JSX ReactAlso, in our JavaScript support, we had partial support for React. Now, this support is extended with JSX technology. JSX, or JavaScript XML, is an XML-like syntax extension to ECMAScript part of the React library. The complete specification can be checked at Draft: JSX Specification. The following elements have been identified as potential security flaws and detected by the existing JS rules:
In React, the HTML code is embedded into the JS code, so the HTML code must be checked to mark sources, sinks, or neutralization (For example: <input> elements). Also, the embedded HTML code is analyzed by Kiuwan with the rules from the HTML technology. The following existing checks might be applied: OPT.HTML.AutocompleteOnForSensitiveFields. OPT.HTML.MissingPasswordFieldMasking. OPT.HTML.TargetBlankVulnerability. OPT.HTML.SandboxAllowScriptsAndSameOrigin. OPT.HTML.SpecifyIntegrityAttribute. |
Section | ||
---|---|---|
| ||
Jenkins Kiuwan plugin updateKiuwan has its plugin to integrate with a Jenkins environment: This new version includes the following updates:
|
Section | ||
---|---|---|
| ||
Other bug fixes and improvements
|