Replying to Avatar Sirius

Unfortunately yes. The app is built using preact and I'm not injecting any user-generated html, but there's always the risk that bad code gets merged or iris.to gets hacked.

I hope we'll have app-specific keys at some point, and a good way to connect them to the same identity (and disconnect if they get pwned).

In the meantime, any good solutions for wrapped PWA key handling? Perhaps custom code could be written for android & iOS apps that provides the window.nostr api and keeps the key safe.
Avatar
Sirius 3y ago

Afaik, using dangerouslySetInnerHTML is the only way that XSS code could be injected into preact. I'm using dangerouslySetInnerHTML for some translations (from source code, not user-generated). One option is adding CI rules that ban dangerouslySetInnerHTML from the source code.

Reply to this note

Please Login to reply.

Discussion

No replies yet.