Building Secure React Applications • Philippe De Ryck • GOTO 2019

In summary,

• dangerouslySetInnerHTML is dangerous, so prefer conventional ways of rendering variables eg <div> {data} </div> which escapes everything, turning it into a text node.
• use DOMPurify before passing data to dangerouslySetInnerHTML.
• don't bypass React via refs to write innerHTML.
• General secure coding practice: Don't filter 'bad things' by using blocklists of bad things, use allowlists of good things, because there are a large number of bad things you won't know about.

The talk was ok, but kinda basic.

This is a talk from GOTO Berlin 2019 by Philippe De Ryck PhD in web security, OWASP and practical security mastermind and founder of Pragmatic Web Security. Give the full talk abstract a read below:

React is a secure framework. It handles cross-site scripting (XSS) out of the box. While these statements sound very hopeful, they are unfortunately far from reality. Building secure applications with React is easier than starting from scratch. However, even with React, there are several guidelines and considerations to take into account.

In this session, we take a deep-dive into two particular topics. We take a close look at XSS, React's defenses, and the responsibilities of the developer. The second topic zooms in on the challenges with including NPM dependencies. We look at how attackers abuse NPM to target your application. Throughout these topics, we build a set of concrete guidelines you can immediately apply to your applications.

What will the audience learn from this talk?
The audience will learn about real-world security pitfalls in React applications, more importantly, how to prevent them.

Does it feature code examples and/or live coding?
Yes, the entire talk is example driven!

Thank you for sharing! :)

!remindme 24h