Compare commits
1 Commits
bolt-optim
...
sentinel-s
| Author | SHA1 | Date | |
|---|---|---|---|
|
4191e829cb |
@@ -27,3 +27,8 @@
|
||||
**Vulnerability:** Allowing users to register or submit forms with disposable email addresses (e.g., mailinator.com) can lead to spam, abuse, and polluted data.
|
||||
**Learning:** While true email verification requires a backend or API, a simple client-side blocklist of common disposable domains is a highly effective, low-cost first line of defense.
|
||||
**Prevention:** Maintain a list of known disposable domains (e.g., `BLOCKED_DOMAINS`) and check the domain part of the email address during validation.
|
||||
|
||||
## 2026-02-14 - Backtick Injection in Template Strings
|
||||
**Vulnerability:** Standard HTML sanitization often ignores backticks (` `), which can be dangerous if the sanitized string is injected into a JavaScript template literal context.
|
||||
**Learning:** While HTML entities (`<`, `"`) protect HTML contexts, modern JS uses backticks for strings. Failing to escape them allows attackers to break out of the string boundary if the data is used in a JS context.
|
||||
**Prevention:** Explicitly replace backticks with ``` in sanitization routines intended for general-purpose use.
|
||||
|
||||
@@ -65,8 +65,7 @@ const GradientBlinds: React.FC<GradientBlindsProps> = ({
|
||||
const rendererRef = useRef<Renderer | null>(null);
|
||||
const mouseTargetRef = useRef<[number, number]>([0, 0]);
|
||||
// Optimization: store raw pointer position (viewport coords) to decouple event handling from calculation
|
||||
// Changed to a stable object to avoid GC pressure in high-frequency event handlers
|
||||
const pointerPosRef = useRef<{ x: number; y: number; active: boolean }>({ x: 0, y: 0, active: false });
|
||||
const pointerPosRef = useRef<{ x: number; y: number } | null>(null);
|
||||
const isMobileRef = useRef<boolean>(false);
|
||||
const lastTimeRef = useRef<number>(0);
|
||||
const firstResizeRef = useRef<boolean>(true);
|
||||
@@ -305,8 +304,7 @@ void main() {
|
||||
const cx = gl.drawingBufferWidth / 2;
|
||||
const cy = gl.drawingBufferHeight / 2;
|
||||
uniforms.iMouse.value = [cx, cy];
|
||||
mouseTargetRef.current[0] = cx;
|
||||
mouseTargetRef.current[1] = cy;
|
||||
mouseTargetRef.current = [cx, cy];
|
||||
}
|
||||
};
|
||||
|
||||
@@ -334,13 +332,10 @@ void main() {
|
||||
x = (e.clientX - rect.left) * scale;
|
||||
y = (rect.height - (e.clientY - rect.top)) * scale;
|
||||
}
|
||||
mouseTargetRef.current[0] = x;
|
||||
mouseTargetRef.current[1] = y;
|
||||
pointerPosRef.current.active = false; // Ensure loop doesn't override
|
||||
mouseTargetRef.current = [x, y];
|
||||
pointerPosRef.current = null; // Ensure loop doesn't override
|
||||
} else {
|
||||
pointerPosRef.current.x = e.clientX;
|
||||
pointerPosRef.current.y = e.clientY;
|
||||
pointerPosRef.current.active = true;
|
||||
pointerPosRef.current = { x: e.clientX, y: e.clientY };
|
||||
}
|
||||
};
|
||||
|
||||
@@ -349,7 +344,7 @@ void main() {
|
||||
uniforms.iTime.value = t * 0.001;
|
||||
|
||||
// Update target based on pointer position and scroll offset
|
||||
if (pointerPosRef.current.active) {
|
||||
if (pointerPosRef.current) {
|
||||
const scale = (renderer as unknown as { dpr?: number }).dpr || 1;
|
||||
let x, y;
|
||||
|
||||
@@ -366,8 +361,7 @@ void main() {
|
||||
x = (pointerPosRef.current.x - rect.left) * scale;
|
||||
y = (rect.height - (pointerPosRef.current.y - rect.top)) * scale;
|
||||
}
|
||||
mouseTargetRef.current[0] = x;
|
||||
mouseTargetRef.current[1] = y;
|
||||
mouseTargetRef.current = [x, y];
|
||||
}
|
||||
|
||||
if (mouseDampening > 0) {
|
||||
@@ -382,13 +376,8 @@ void main() {
|
||||
cur[0] += (target[0] - cur[0]) * factor;
|
||||
cur[1] += (target[1] - cur[1]) * factor;
|
||||
} else {
|
||||
if (pointerPosRef.current.active || isMobileRef.current) {
|
||||
// In no-dampening mode, update values directly.
|
||||
// We copy values instead of assigning the reference to avoid aliasing issues
|
||||
// (where cur and target become the same array) if dampening is enabled later
|
||||
// without re-creating uniforms (though currently effect deps handle that).
|
||||
uniforms.iMouse.value[0] = mouseTargetRef.current[0];
|
||||
uniforms.iMouse.value[1] = mouseTargetRef.current[1];
|
||||
if (pointerPosRef.current || isMobileRef.current) {
|
||||
uniforms.iMouse.value = mouseTargetRef.current;
|
||||
}
|
||||
lastTimeRef.current = t;
|
||||
}
|
||||
|
||||
@@ -10,6 +10,7 @@ describe('Security Utils', () => {
|
||||
expect(sanitizeInput('foo & bar')).toBe('foo & bar');
|
||||
expect(sanitizeInput('"quotes"')).toBe('"quotes"');
|
||||
expect(sanitizeInput("'single quotes'")).toBe(''single quotes'');
|
||||
expect(sanitizeInput('`backticks`')).toBe('`backticks`');
|
||||
expect(sanitizeInput('>')).toBe('>');
|
||||
});
|
||||
|
||||
@@ -74,6 +75,8 @@ describe('Security Utils', () => {
|
||||
expect(isValidEmail('spam@mailinator.com')).toBe(false);
|
||||
expect(isValidEmail('bot@yopmail.com')).toBe(false);
|
||||
expect(isValidEmail('temp@temp-mail.org')).toBe(false);
|
||||
expect(isValidEmail('spam@sharklasers.com')).toBe(false);
|
||||
expect(isValidEmail('bot@maildrop.cc')).toBe(false);
|
||||
});
|
||||
|
||||
it('rejects blocked domains regardless of case', () => {
|
||||
|
||||
@@ -14,7 +14,8 @@ export function sanitizeInput(input: string): string {
|
||||
.replace(/</g, "<")
|
||||
.replace(/>/g, ">")
|
||||
.replace(/"/g, """)
|
||||
.replace(/'/g, "'");
|
||||
.replace(/'/g, "'")
|
||||
.replace(/`/g, "`");
|
||||
}
|
||||
|
||||
// Common disposable email providers and invalid domains
|
||||
@@ -25,8 +26,13 @@ const BLOCKED_DOMAINS = new Set([
|
||||
"yopmail.com",
|
||||
"temp-mail.org",
|
||||
"guerrillamail.com",
|
||||
"guerrillamail.net",
|
||||
"10minutemail.com",
|
||||
"trashmail.com",
|
||||
"sharklasers.com",
|
||||
"dispostable.com",
|
||||
"maildrop.cc",
|
||||
"getairmail.com",
|
||||
]);
|
||||
|
||||
/**
|
||||
|
||||
Reference in New Issue
Block a user