By Liran Tal
Translation: crazy tech geek
Reprinting without permission is strictly prohibited
ushighly recommendeddownloadElectronic version of the full report, but also provided the following as a blog post:
- Angular vs React: Security Bakeoff 2019
- Analysis and Comparison of Angular and React Security Vulnerabilities in 2019
- Angular vs React: Security risks of indirect dependencies
- Comparing React and Angular Secure Coding Practices
- 84% of websites affected by jQuery XSS vulnerability
The report covers:
- Security Practices for Angular and React Core Projects
- The security state of the Angular and React module ecosystems, based on an in-depth study of the vulnerabilities in each ecosystem
- Significant security differences between different alternatives, especially between Angular and React
Here are the key takeaways from our report:
Angular vs. React Core Project Security
- Angular has 23 security holes in its original AngularJS project (Angular v1.x).
- No security vulnerabilities were found in the Angular core framework components.
- React has some security bugs; bugs seem to be found quite often in its core library and disclosed every two years.
- Only one React core project vulnerability was assigned an official CVE. CVE does not list any vulnerability reports for Angular at all. Taken together, these all prove that the open source community needs to utilize vulnerability databases in order to discover relevant security issues.
- Snyk reported 26 security vulnerabilities in Angular and React core projects, and its report has no audits on npm.
Angular vs. React module ecosystem security
- Both the React and Angular module ecosystems have shown security flaws in popular front-end library components with millions of downloads, some of which have no security fixes so far.
- We have witnessed malicious modules affecting the Angular and React ecosystems and attempting to collect credit card, passwords and other sensitive information used in front-end web applications.
- The Next.js framework showed great responsibility for security by quickly addressing all five vulnerabilities throughout the life of the project, delivering fixes within a week.
Information about CVEs and security vulnerabilities
To investigate the overall security posture of each ecosystem covered in this report, we discuss factors including security vulnerabilities identified in different relevant software packages. Vulnerabilities are reviewed and discussed in light of (and sometimes compared to) known vulnerabilities.
In the Common Vulnerabilities and Exposures (CVE) List maintained by the CVE Numbering Authority (CNA), known vulnerabilities are assigned identification numbers and CVEs are assigned a CVSS score to indicate the severity of the listed vulnerabilities. learn aboutInformation on how to score the severity of vulnerabilities via CVSS。
Angular vs. React security posture
- Angular has visible and implementable security guidelines, communication, and responsible disclosure policies that React projects don’t have.
- Angular has broader built-in support for data sanitization and output encoding in different contexts, such as URL attributes in HTML anchor (or link) elements, etc.
- React has no built-in controls for data sanitization, instead encoding the output in most default cases and leaving it up to the developer to handle unhandled cases such as ref and URL properties (the latter deprecated in React v16.9.0 solve).
- Angular provides support for cross-site request forgery (CSRF) vulnerabilities through built-in security mechanisms in its HTTP services. And React developers need to solve these problems independently.
Front-End Ecosystem Security
- jQuery has over 120 million downloads in the past 12 months, and according to W3Techs, 84% of all sites using jQuery use jQuery v1.x, which has four very serious XSS vulnerabilities affected it. In fact, if you’re not using jQuery v3.4.0 or later (which is the case for most jQuery users), you’re using a version that contains a security vulnerability.
- In the past 12 months, Bootstrap has been downloaded 79,185,409 times and contains a total of 7 cross-site scripting (XSS) vulnerabilities. Three of them were disclosed in 2019. Notable community modules such asbootstrap-markdownIt has over 300,000 downloads in the same time period, though it has no security fixes or path to upgrades for its XSS vulnerabilities.bootstrap-selectIt has over 2 million downloads and has a critical XSS vulnerability, which was discovered by the Snyk research team with the help of its proprietary threat intelligence system.
- Over the past 12 months, the Vue.js framework has been downloaded more than 40 million times,A total of four vulnerabilities exist in the Vue.js core, but has been fixed.
The report reviews the overall security of each framework, the community-driven module ecosystem, and the security risks associated with it; based on these perspectives, the report ensures secure code by highlighting the best security practices employed in the field , finally providing actionable security advice for Angular and React users.
This article is the first WeChat public account: front-end pioneer
Welcome to scan the QR code to follow the official account, and push you fresh front-end technical articles every day
Welcome to continue reading other highly praised articles in this column:
- In-depth understanding of Shadow DOM v1
- Teach you step by step to implement virtual reality games with WebVR
- 13 modern CSS frameworks to help you improve development efficiency
- Get Started Quickly with BootstrapVue
- WebSocket in action: Real-time communication between Node and React
- 20 Interview Questions About Git
- In-depth analysis of Node.js console.log
- What exactly is Node.js?
- Build an API Server with Node.js in 30 Minutes
- The programmer’s monthly salary cannot reach 30K before the age of 30, what should he do?
- 8 top VS Code extensions for the front end
- The Complete Guide to Multithreading in Node.js
- Four schemes and implementations of converting HTML into PDF