GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → filedescriptor → Untrusted Types

filedescriptor / Untrusted Types

Licence: apache-2.0

Labels

svelte

Projects that are alternatives of or similar to Untrusted Types

Userscripts
An open-source userscript editor for Safari
Stars: ✭ 261 (-44.82%)
Mutual labels:  svelte
Vudash
Powerful, Flexible, Open Source dashboards for anything
Stars: ✭ 363 (-23.26%)
Mutual labels:  svelte
Nomie
Nomie v5 Source Code
Stars: ✭ 407 (-13.95%)
Mutual labels:  svelte
Abstract State Router
Like ui-router, but without all the Angular. The best way to structure a single-page webapp.
Stars: ✭ 288 (-39.11%)
Mutual labels:  svelte
Svelte Router
Svelte Router adds routing to your Svelte apps. It's designed for Single Page Applications (SPA). Includes localisation, guards and nested layouts.
Stars: ✭ 310 (-34.46%)
Mutual labels:  svelte
Svite
svelte integration for vite
Stars: ✭ 383 (-19.03%)
Mutual labels:  svelte
SENT-template
Skip setup and start code with SENT (Sapper Express Node Template) and other tools
Stars: ✭ 69 (-85.41%)
Mutual labels:  svelte
Nativescript
NativeScript empowers you to access native platform APIs from JavaScript directly. Angular, Capacitor, Ionic, React, Svelte, Vue and you name it compatible.
Stars: ✭ 20,730 (+4282.66%)
Mutual labels:  svelte
Svelte Intellij
Svelte components in WebStorm and friends
Stars: ✭ 345 (-27.06%)
Mutual labels:  svelte
Svelma
Bulma components for Svelte
Stars: ✭ 401 (-15.22%)
Mutual labels:  svelte
Sapper Ecommerce
Svelte ecommerce - Headless, Authentication, Cart & Checkout, TailwindCSS, Server Rendered, Proxy + API Integrated, Animations, Stores, Lazy Loading, Loading Indicators, Carousel, Instant Search, Faceted Filters, 1 command deploy to production, Open Source, MIT license. Join us as contributor ([email protected])
Stars: ✭ 289 (-38.9%)
Mutual labels:  svelte
Crayon
Simple framework agnostic UI router for SPAs
Stars: ✭ 310 (-34.46%)
Mutual labels:  svelte
Figma Html
Convert Figma designs to HTML, React, Vue, Angular, and more!
Stars: ✭ 382 (-19.24%)
Mutual labels:  svelte
Svelte Calendar
A lightweight datepicker with neat animations and a unique UX.
Stars: ✭ 279 (-41.01%)
Mutual labels:  svelte
Svelte Select
A select component for Svelte apps
Stars: ✭ 414 (-12.47%)
Mutual labels:  svelte
Curi
A JavaScript router for single-page applications
Stars: ✭ 262 (-44.61%)
Mutual labels:  svelte
Svelte Materialify
A Material UI Design Component library for Svelte heavily inspired by vuetify.
Stars: ✭ 351 (-25.79%)
Mutual labels:  svelte
Firebase Gcp Examples
🔥 Firebase app architectures, languages, tools & some GCP things! React w Next.js, Svelte w Sapper, Cloud Functions, Cloud Run.
Stars: ✭ 470 (-0.63%)
Mutual labels:  svelte
Svelte I18n
Internationalization library for Svelte
Stars: ✭ 433 (-8.46%)
Mutual labels:  svelte
Mermaid Live Editor
Edit, preview and share mermaid charts/diagrams. New implementation of the live editor.
Stars: ✭ 395 (-16.49%)
Mutual labels:  svelte
View All Similar Projects ➔

Untrusted Types for DevTools

Untrusted Types is a Chrome extension that abuses Trusted Types to log DOMXSS sinks.

Untrusted Types for DevTools

Installation

Using npm

  1. Clone the repository
  2. Install dependencies: npm i
  3. Build the project: npm run build
  4. Go to chrome://extensions, enable Developer mode
  5. Load unpacked, choose the public folder

Chrome Web Store

https://chrome.google.com/webstore/detail/bpeblffgmddnafmnmdjohcmkbeifdlnb/

Prebuilt version

If the project is failing to build for some reason, you can download the prebuilt version from the Releases page.

  1. Download and extract the archive
  2. Go to chrome://extensions, enable Developer mode
  3. Load unpacked, choose the extracted folder

Usage

Discover and test inputs passed into sinks that could lead to DOM XSS vulnerabilities.

A sink is a code pattern that could run arbitrary JavaScript code if the input is malicious, for example: innerHTML, eval, document.write.

Keywords (by default d0mxss) that are found to be passed in a sink will be highlighted in the extension and the console.

A simple tutorial: https://www.youtube.com/watch?v=CNNCCgDkt5k

To find the stack trace of a specific log:

  1. Copy the ID by clicking on it,
  2. Open Console>Filter and paste the ID,
  3. Now you can inspect the stack trace. Click on the function name to open it in the Sources tab.

The original version was made by filedescriptor. This version extends it by adding a DevTools panel that allows for easier filtering/searching of found sinks.

Settings

You can edit settings directly in the extension: Settings

Limitation & Known Issues

  1. While it covers a majority of sinks, it doesn't cover navigation sinks like location = user_input unless it's location = 'javascript:' + user_input.
  2. It doesn't work in websites that are already using Trusted Types. This is not a problem for now because even Google themselves don't use it a lot
  3. If console logs are not showing the stack trace, refresh the page.
  4. It will fail on web pages with <iframe src="javascript:..."> (but fine if dynamically inserted). Check issue #1
  5. It will fail in web workers using importScripts(). Check issue #7

Based on

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].