Add plugin to append a simple serialize and deserialize to stores #104
Conversation
|
Any timeline when you gonna take a look at my pull request? |
|
This implementation is susceptible to XSS attacks if any of the stores contain HTML strings. |
|
How exactly? This plugin stores stuff exactly as they are in the current state and restores exact that state. Don't think serialization and de-serialization needs to handle XSS |
|
Interesting topic. Would using a library such as https://github.com/leizongmin/js-xss or https://github.com/cure53/DOMPurify help with the XSS vulnerability? -edit- I forgot to mention https://github.com/yahoo/xss-filters as well |
|
Once again I think that would be a huge mistake for this use case. You don't want any data manipulation for serialization and deserialization. The main purpose is that what I put in comes out again and the other way around. Some sort of purify could be done as a separate plugin. |
|
@fkrauthan I have limited knowledge on the topic. Are you referring to the fact that data should be sanitized prior to being inserted in the database (typically)? |
|
@jbmusso I am referring to the fact that sanitization should not happen on a save and restore functionality. This pull request is a wrapper for registering serialize and deserialize function automatically for your models based on a toJSON and fromJSON functionality. The main goal of that is to save the current state (exactly as it is) and restores it (exactly as it is). Any attempt to sanitize data would possible change the data and destroy the purpose of serialize and deserialize. |
|
@fkrauthan Thanks, this makes sense. I also feel that this implies that one should make sure that no state could contain data that, once serialized, would be possible vectors for a XSS attack. This leaves the responsibility to the developer to sanitize all strings prior to serializing the state, and that'd make your plugin useful. Let me know if I'm mistaken. |
|
@jbmusso No that is exactly what I want. If people are concert about unsafe data they could catch it and sanitize before writing it to the store (setState on the store). And since it is a optional plugin no one gets force the shortcut to get a simple serialize and deserialize working. It is really just a short cut that will work for 99% of the users who need state dehydration on server site and rehydration on client site. |
|
+1 for this PR. I would rename the I think this is a wrong place to handle XSS. The user should be able assume that |
|
+1 as well. |
|
Is it still actual for someone? |
|
I still would like to have this in flummox |
This is a pull request to solve ticket #102
This plugin adds a simple json serialize and deserialize to a Store.