[Owasp-leaders] From a security point of view: Angular or React?

Jim Manico jim.manico at owasp.org
Sun Jun 28 23:06:55 UTC 2015

Well said Matt. 

I do not think that JQuery is the best choice for new dev, but it's certainly possible to secure existing legacy JQuery apps (by either encoding or using safe JQuery sinks as well as other methods like you suggest). And depending on server-side encoding for JS framework security is frankly a bad idea in my opinion. 

Between the new JS frameworks (backbone, Angular, React, Ember, etc) Angular has some of the best built-in XSS defense, by far.

Of course there are several other factors to consider like you suggest, but what impresses me most about Angular is that they provide...

1) Native contextual escaping
2) Whitelist HTML Sanitization
3) CSP Integration

Even better, when you turn off HTML Sanitization and allow unsanitized markup (like trusted static blocks of HTML) the function name you need to call is deliberatelyTrustDangerousSnippet()

For real. 

These are needed characteristics for XSS resistance in JS frameworks.

Jim Manico
Global Board Member
OWASP Foundation
Join me at AppSecUSA 2015!

> On Jun 28, 2015, at 12:02 PM, Matt Konda <matt.konda at owasp.org> wrote:
> While acknowledging what Jim is saying is true - that there are many dangerous sinks in JQuery and that Angular has minimized those, I would personally take a slightly different view.  So I thought I'd share to hopefully add to the discussion.
> Angular is great if you want to do heavy lifting in the client.  If you want a single page app or highly interactive, rich client programming experience then it is definitely something to look at.  I agree with his assertion that React is chasing on its heels, but there are also Ember, Backbone and others.  Angular has made some significant advances in securing what they are doing faster than some of the others, and Jim rightly notes that and gives them kudos that they deserve.  That is one reason it would be great to see the comparison of JS frameworks updated - they are all moving so fast, I couldn't tell you right now if Angular is still ahead in terms of security, I just know they turned the corner and faced the challenge early.
> Still, within the dev community, Angular has a reputation for being powerful but also giving you so much rope that you can hang yourself (which we used to say about C++).  I think the idioms are simpler in some of the other frameworks even if they aren't as powerful.  Some have said that Angular is great for building MVC frameworks, where the others ARE your MVC framework.
> Which brings me back to JQuery.  
> It is possible to write a safe app in JQuery.  JQuery apps I've worked with tend to be less rich client side - they use JQuery to make the JS they are doing easy and to do simple Ajaxy things.  If the server is output encoding what JQuery sees, it doesn't matter if JQuery has "unsafe sinks".  So in an app that's Spring + Thymeleaf on the back end, if they don't use utext tags in Thymeleaf or echo user input without making a round trip to the server, its just as safe as Angular.  JQuery is much more widely used than Angular overall and isn't necessarily in a position to write breaking changes the way Angular was.  It also gets used in snippets here and there that aren't so easily dealt with as a framework function.  That doesn't make failure to address security issues ok, but in a big picture you can understand it in better perspective.
> Ultimately, as much as I am a security advocate, I think this is a case where you have to accept nuance and understand the full stack and objectives of the developers and advocate for something that fits both the security and the business need.  
> If I were building a new app intended to be JS heavy, I would use Angular, React, Ember or something like it - provided the dev team working with it was comfortable and productive with it.
> If I were working on a large existing JQuery app, I would identify failure scenarios and fix those within the app.  I wouldn't advocate scrapping the app to move to Angular.  In the case that the failures truly are systemic, a rewrite might be in order.
> In any of those cases, I would advocate for writing tests (Jasmine/Selenium/Cucumber/JBehave, whatever) so that the developers could understand the scenarios that would be problematic.
> Enjoy.
> Matt
>> On Sun, Jun 28, 2015 at 3:37 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> Almost every "sink" in JQuery is dangerous. 
>> The safe ones include:
>> http://api.jquery.com/text/
>> and
>> http://api.jquery.com/val/
>> Aloha,
>> --
>> Jim Manico
>> Global Board Member
>> OWASP Foundation
>> https://www.owasp.org
>> Join me at AppSecUSA 2015!
>>> On Jun 28, 2015, at 8:47 AM, Tim <tim.morgan at owasp.org> wrote:
>>>> On Sun, Jun 28, 2015 at 10:29:56AM -0400, johanna curiel curiel wrote:
>>>> Dinis
>>>> What about Jquery? Many people still using it today, I know a banking app
>>>> using it.
>>> I get the impression that jQuery has a lot of sinks that would trip up
>>> the typical UI developer:
>>>  https://code.google.com/p/domxsswiki/wiki/jQuery
>>> tim
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150628/85eb5f7c/attachment.html>

More information about the OWASP-Leaders mailing list