javascript – What are the security issues for a fully client-side JS / HTML5 application?

When you say that JS and HTML are hosted on GitHub, I assume you mean that the code is hosted there only for download and that your interactive story does not reach GitHub at runtime to retrieve actives. If this were the case, this external connection to GitHub could potentially be used for malicious actions. If someone can access the code hosted on GitHub, they can change it to perform whatever they want on the clients. It is not necessarily an injection, but it is worth drawing attention to.

However, it looks like your application is not getting the GitHub code at runtime. If this app really only uses local resources on the machine (no data recovery from elsewhere, no external links, etc.), your app should be safe from it ; an external attacker. You should always be wary of viewing any user content, as this could potentially open the door to injection attacks if it is not properly filtered, but in this case, it appears that customers have no way of contacting other clients or uploading to a server. So, realistically, if a user could inject code into their client, the only person they could affect was themselves.

Another thing to know: if you build a framework in which users can create stories to distribute (for example by allowing other people to play a story that I create), it is also a vector d & # 39; attack. Indeed, the history files are created by arbitrary users (like me) and are then interpreted by the client web application of the users who import them (Alice / Bob).

Web application – Is there a vulnerability other than XSS that could cause client-side scripting?

Note that this answer applies to the original version of the question which was less strict and clear about what the OP would actually like to know.

To execute malicious client-side script in the context of the web application, the script

  • could be injected cross site by the attacker for example inside the URL (reflected XSS)
  • can be served by the original web server because the server was compromised or had a stored XSS vulnerability
  • can be done by loading or moving the client side of the application in an unexpected context (DOM XSS)
  • can be injected client-side using a browser extension, which can be controlled by the attacker either because the extension is malicious or has bugs
  • can be injected through improper use of scripts for third parties, for example when including ads or tracking (malicious advertising)
  • could be provided by the attacker using a MITM attack (thanks to Anders for this idea)

And of course, there could be bugs in the browser that make this possible (XSS universal).

spfx webparts – Grant permissions to all external users on the client-side resource library of the App Catalog site

I have an SPFx Web Part added to my page in a modern site.

External sharing is enabled in my modern site, and I must grant at least read permissions to each external user on the "Client-side assets" library of the SharePoint application catalog site for my SPFx Web Part to work for them otherwise the SPFx Web Part throws an error.

However, whenever a new external user is added to the site, I have to access the App Catalog site and grant them permissions.

Is there a simple way to grant permissions on the App Catalog site's "ClientSideAssets" library to all external users?

There is a group named "Everyone except external user", but is there a group like "Everyone, including external users"?

reactjs – Meteor-files s3 upload: The insert is not a client-side function

I'm trying to use ostrio: files aka Meteor-files with s3. When using the s3 code example running Images.insert on client returns, the insert is not a function. My code is correct, for example on the s3 integration page. Is additional code needed or can anyone publish a sample client-side code for the s3 path? I am not using models, im using react for front-end, even if this is basic.

import { FilesCollection } from 'meteor/ostrio:files';
import Images from '../../../api/Images/Images'; //Server-side-file-store.js

submitLogo() {
var logo = document.getElementById('logoInput').files(0)
const upload = Images.insert({
    file: logo,
    streams: 'dynamic',
    chunkSize: 'dynamic'
  }, false);

  upload.on('end', function (error, fileObj) {
    if (error) {
      alert('Error during upload: ' + error);
    } else {
      alert('File "' + + '" successfully uploaded');



Works fine if I exchange the code in images.js with the original non-s3 code for collection-fs, fyi.

c # – Get the value of a client-side input field

How can you get the value of a client-side input field?


I want the value of MyTextValue to be used here:

                var input = document.getElementById("MyTextValue");
                Html.RenderPartial(input.value + "View");

But the name & # 39; document & # 39; does not exist in the current context. I do not know how to get the value of MyTextValue to get the partial view based on this value. Ideas?

The value of MyTextValue is already known when loading the page.

spfx – Enabling multilingual localization in client-side Web Parts of SharePoint Framework

See the following steps to add multiple languages ​​in SharePoint Framework Web Parts (SPFx):

  1. In the "loc" folder, you will see a file named "mystrings.d.ts". At first add the property here as below:
declare interface ITestWebPartStrings {
  WebpartTitle: string;
  1. There is a file for the English language named "en-us.js". If you want
    add another language, you must create another file. For example if
    you want to add the Norwegian language then you have to create the file "nb-NO.js".
  2. After that, add the property to the "nb-NO.js" file for the Norwegian language.
    And for the English language, add the property in the "en-us.js" file as below:
define((), function() {
    return {
        "WebpartTitle": "YourTitle",
  1. Now you have to import into your file.
import * as strings from 'TestWebPartStrings';
  1. You can now display "WebpartTitle" using "strings.WebpartTitle". This is the process for adding multiple languages.
let wpTitle = strings.WebpartTitle;

Microsoft Documentation Reference: Locating SharePoint Framework Client Side Web Parts

If the answer is helpful, please upvote.

apache – Which browsers handle client-side compression of queries like POST's ed formdata?

Which browsers manage client side compression requests, such as "multipart / form-data" sent by the client to the server via HTTP POST?

The HTTP server that I'm trying to run with is Apache with the mod_deflate and mod_gzip modules, which include Content-Encoding: deflate and Content-Encoding: gzip headers in POST requests.

design – Where to route the http request in an SSR application, the client-side middle layer or NodeJS?

I am building a personal blog system that supports writing markdowns.

We want to reuse the markdown rendering component in both the client-side editor and the server-side rendering. We therefore involve a NodeJS middle layer that will serve as a server-side rendering engine for building an SSR application.

However, we are building our main service by Java. So now we have two plans to process the http request from the client side.

Plan A:
Let the client side do the routing of the request, that is, all the rendering request (can be identified as /blogs/:some-id) send to the central layer of the node and the other request sent to the Java server.

Plan B:
Let the middle node layer route the request, that is, it will handle the entire rendering request and simply forward another request to the Java back-end server. We also let the middle layer perform the permissions.

So which one is preferred or better advice?

Workaround of client-side protection for XSS

For an XSS exploit to occur, you must consider several elements:

  1. You need to control an item that will allow you to inject your
  2. The protections in place must include your payload in the whitelist when the injection takes place
  3. The item must be rendered in another person's browser, which means that you need a method of delivering your payload.

As far as I know, the function you describe only deals with the second element above, you still need an item that will make your payload and you will need a way to provide that charge useful to the "victim".

In addition, the fact that the protection only occurs on the client does not prove in any case a vulnerability leading to XSS. The web application can be perfectly secure if an item displayed on the page that interacts with the user input goes through this function and that it does not have a workaround. In other words, the fact that your payload can be stored without transformation (or reflected) on the backend will not trigger any XSS if you do not find in the Web page a location where this payload will be recovered. rendered without the function being triggered.

And this without taking into consideration more modern defenses like the CSP, where even if you find the 3 elements of the list, you will get many restrictions on payloads and delivery methods that you can actually use to reduce the vulnerability.

javascript – Having problems with client-side prediction in my multiplayer game on canvas

by the time my game waits for the server to tell the client where the player is on the template that is updated approximately 25 times per second on the client and the server, I think that means that the players at the most will only move at 25fps.

What I'm trying to do is make sure that the client can run at more frames per second, for example 144; I'm not sure that means I need to implement client side prediction or something else, last days.

I have read the article by Victor Zhou and that of Gambetta, but honestly, I do not know how to implement it in my game.

For now, my game works like this:

Note that I use to achieve this.

  • the client sends to the server the information on the key that it holds or loose, once the server knows that it is holding down a key, its position is updated according to the key pressed until it reaches the server. the key is released.

  • The server sends updated player positions to the client every 40 milliseconds.

  • The client draws the drives on the canvas every 40 milliseconds using updated server information.

To reiterate, I try to make sure that the client's players move more smoothly than 25 fps and even if the player's PC can not handle that, it will not affect the game, if that's a problem. meaning.