OSS Index Helpclose
An open index of open source

 Welcome to the Composer Start Page

Posted by OSS-Index on May 21, 2016

Quick access to Composer auditing tools, search, and recent Composer activity on OSS Index.

 Recent news...

Composer package vulnerability: jstree

Cross Site Scripting (XSS)
Wed Aug 02 18:53:48 EDT 2017

> When using inline HTML to populate the tree, if the nodes contain HTML entities, the node text will contain those entities even though they aren't rendered. > > – github.com

Composer package vulnerability: ckeditor

`target=blank` vulnerability
Sun Jul 30 09:51:06 EDT 2017

> If a victim had access to a spoofed version of ckeditor.com via HTTP (e.g. due to DNS spoofing, using a hacked public network or mailicious hotspot), then when using a link to the ckeditor.com website it was possible for the attacker to change the current URL of the opening page, even if the opening page was protected with SSL. > > – github.com

Composer package vulnerability: phpmyadmin

[CVE-2017-1000018] Improper Input Validation
Wed Jul 19 10:42:53 EDT 2017

phpMyAdmin 4.0, 4.4., and 4.6 are vulnerable to a DOS attack in the replication status by using a specially crafted table name

Composer Notes: jstree

Avoid XSS using `force_text` option.
Mon Oct 31 00:25:29 EDT 2016

There is a setting that you can enable if you want pure text nodes: http://www.jstree.com/api/#/?q=force&f=$.jstree.defaults.core.force_text jstree can not know if you want the user to be able to input HTML or not - hence the setting - just set it to true in your config.

Composer Notes: bootstrap

DOM XSS by Misusing Bootstrap
Tue May 31 01:13:10 EDT 2016

"First of all, let me make it clear that this article is not about XSS in Bootstrap itself (the very popular libraries originally from Twitter to fancify your website), it?s about XSS as a result of using Bootstrap in an insecure fashion. It?s based on a real penetration test ? the site in question wasn?t vulnerable but it was immediately clear how things could have gone wrong. I thought it would be an interesting XSS article, being both DOM-based and making use of a big-name library like Bootstrap."

Package auditing tools

 Composer [DevAudit] [ALPHA]