[Owasp-leaders] From a security point of view: Angular or React?

Matt Konda matt.konda at owasp.org
Sun Jun 28 22:02:36 UTC 2015

While acknowledging what Jim is saying is true - that there are many
dangerous sinks in JQuery and that Angular has minimized those, I would
personally take a slightly different view.  So I thought I'd share to
hopefully add to the discussion.

Angular is great if you want to do heavy lifting in the client.  If you
want a single page app or highly interactive, rich client programming
experience then it is definitely something to look at.  I agree with his
assertion that React is chasing on its heels, but there are also Ember,
Backbone and others.  Angular has made some significant advances in
securing what they are doing faster than some of the others, and Jim
rightly notes that and gives them kudos that they deserve.  That is one
reason it would be great to see the comparison of JS frameworks updated -
they are all moving so fast, I couldn't tell you right now if Angular is
still ahead in terms of security, I just know they turned the corner and
faced the challenge early.

Still, within the dev community, Angular has a reputation for being
powerful but also giving you so much rope that you can hang yourself (which
we used to say about C++).  I think the idioms are simpler in some of the
other frameworks even if they aren't as powerful.  Some have said that
Angular is great for building MVC frameworks, where the others ARE your MVC

Which brings me back to JQuery.

It is possible to write a safe app in JQuery.  JQuery apps I've worked with
tend to be less rich client side - they use JQuery to make the JS they are
doing easy and to do simple Ajaxy things.  If the server is output encoding
what JQuery sees, it doesn't matter if JQuery has "unsafe sinks".  So in an
app that's Spring + Thymeleaf on the back end, if they don't use utext tags
in Thymeleaf or echo user input without making a round trip to the server,
its just as safe as Angular.  JQuery is much more widely used than Angular
overall and isn't necessarily in a position to write breaking changes the
way Angular was.  It also gets used in snippets here and there that aren't
so easily dealt with as a framework function.  That doesn't make failure to
address security issues ok, but in a big picture you can understand it in
better perspective.

Ultimately, as much as I am a security advocate, I think this is a case
where you have to accept nuance and understand the full stack and
objectives of the developers and advocate for something that fits both the
security and the business need.

If I were building a new app intended to be JS heavy, I would use Angular,
React, Ember or something like it - provided the dev team working with it
was comfortable and productive with it.

If I were working on a large existing JQuery app, I would identify failure
scenarios and fix those within the app.  I wouldn't advocate scrapping the
app to move to Angular.  In the case that the failures truly are systemic,
a rewrite might be in order.

In any of those cases, I would advocate for writing tests
(Jasmine/Selenium/Cucumber/JBehave, whatever) so that the developers could
understand the scenarios that would be problematic.


On Sun, Jun 28, 2015 at 3:37 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Almost every "sink" in JQuery is dangerous.
> The safe ones include:
> http://api.jquery.com/text/
> and
> http://api.jquery.com/val/
> Aloha,
> --
> Jim Manico
> Global Board Member
> OWASP Foundation
> https://www.owasp.org
> Join me at AppSecUSA <http://appsecusa.org/> 2015!
> On Jun 28, 2015, at 8:47 AM, Tim <tim.morgan at owasp.org> wrote:
> On Sun, Jun 28, 2015 at 10:29:56AM -0400, johanna curiel curiel wrote:
> Dinis
> What about Jquery? Many people still using it today, I know a banking app
> using it.
> I get the impression that jQuery has a lot of sinks that would trip up
> the typical UI developer:
>  https://code.google.com/p/domxsswiki/wiki/jQuery
> tim
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150628/73a7ce8c/attachment-0001.html>

More information about the OWASP-Leaders mailing list