Last Updated: 2025-10-27 Last Audit: 2025-10-27 (Full Audit Report)
textMan is committed to maintaining the highest security standards for our users. We take security seriously and appreciate the community's help in keeping textMan safe.
- Client-Side First - All processing happens in the browser, no data sent to servers
- Transparency - Open source code, auditable by anyone
- Privacy by Design - No tracking, no analytics, no cookies
- Regular Audits - Quarterly security audits conducted
- Fast Response - Security issues addressed within 48-72 hours
Based on our 2025-10-27 Security Audit, we are actively working to remediate the following issues:
Status: π In Remediation (Scheduled: Next session) Risk: HIGH - Arbitrary JavaScript execution possible Affected Versions: v2.1a.0 and earlier CVE: Pending
Description:
Multiple locations in the codebase use innerHTML with unsanitized user input, creating XSS vulnerabilities.
Affected Components:
- Toast notification system (js/scripts.js:273-282)
- Modal dialogs (js/scripts.js:360-363)
- History rendering (js/scripts.js:1351-1365)
- Additional locations (10+ instances)
Exploitation Risk: An attacker could inject malicious scripts through:
- User-provided text input
- Compromised localStorage data
- Crafted saved texts/templates
Mitigation Until Fixed:
- Avoid importing untrusted files
- Clear localStorage if suspicious behavior observed
- Use incognito/private browsing for sensitive text
Timeline:
- Fix Target: 2025-11-01
- Testing: 2025-11-02
- Release: 2025-11-03 (v2.1.1)
Status: π In Remediation (Scheduled: Next session) Risk: HIGH - XSS via HTML decode function Affected Versions: v2.1a.0 and earlier CVE: Pending
Description:
The HTML decode feature uses innerHTML to decode HTML entities, creating an XSS vector.
Location: js/scripts.js:816-825 (TextTools.decodeHTML)
Attack Vector:
<!-- User inputs: -->
<img src=x onerror=alert('XSS')>
<!-- Gets executed during decode -->Timeline:
- Fix Target: 2025-11-01
- Testing: 2025-11-02
- Release: 2025-11-03 (v2.1.1)
Status: π In Remediation (Scheduled: Next session) Risk: HIGH - No validation on stored data Affected Versions: v2.1a.0 and earlier CVE: Pending
Description: Data loaded from localStorage is not validated or sanitized before being rendered, allowing malicious data injection if localStorage is compromised.
Location: js/scripts.js:138-166 (Storage.load)
Attack Scenario:
- XSS vulnerability exploited
- Attacker injects malicious data into localStorage
- Data persists and executes on every page load
Timeline:
- Fix Target: 2025-11-01
- Testing: 2025-11-02
- Release: 2025-11-03 (v2.1.1)
Status: π Planned Risk: MEDIUM - Unicode characters cause crashes Timeline: 2025-11-05
Status: π Planned Risk: MEDIUM - No CSP headers reduce defense-in-depth Timeline: 2025-11-05
Status: π Planned Risk: MEDIUM - No MIME type or content validation Timeline: 2025-11-08
| Version | Supported | Notes |
|---|---|---|
| 2.1.x | β | Current, security fixes in progress |
| 2.0.x | β | Upgrade to 2.1.x |
| < 2.0 | β | No longer supported |
Current Version: v2.1a.0 Next Security Release: v2.1.1 (Target: 2025-11-03)
If you discover a security vulnerability, please follow these steps:
Security vulnerabilities should NOT be reported via public GitHub issues. This protects users until a fix is available.
Preferred Method: Email security report to:
- Email: [email protected] (or project maintainer email)
- Subject:
[SECURITY] Brief description
Alternative Method: GitHub Security Advisories
- Go to: https://github.com/[your-org]/textMan/security/advisories
- Click "New draft security advisory"
**Summary:** Brief description of the vulnerability
**Type:** XSS / Injection / Authentication / etc.
**Affected Component:** Which file/function is vulnerable
**Severity:** Critical / High / Medium / Low (your assessment)
**Steps to Reproduce:**
1. Go to...
2. Click on...
3. See error...
**Impact:** What can an attacker do with this vulnerability?
**Proof of Concept:** (Code example or screenshot)
**Suggested Fix:** (Optional, but helpful)
**Discoverer:** Your name (for credit in release notes)
We aim to respond within:
- 24 hours: Initial acknowledgment
- 72 hours: Severity assessment and timeline
- 7-14 days: Fix development and testing
- 14-21 days: Security release
- We request 90 days before public disclosure
- We will credit you in release notes (unless you prefer anonymity)
- We may award bounties for critical vulnerabilities (if budget allows)
-
Never use
innerHTMLorouterHTML- β
element.innerHTML = userInput - β
element.textContent = userInput - β
Use
createElement()and DOM APIs
- β
-
Always sanitize user input
- Validate before processing
- Escape before rendering
- Use allowlists, not blocklists
-
Validate localStorage data
- Check structure and types
- Handle malformed data gracefully
- Consider using schema validation
-
Be cautious with encoding/decoding
- Use proper Unicode-safe methods
- Don't use
eval()orFunction()constructor - Validate encoded data before decoding
-
Follow the principle of least privilege
- Request minimal permissions
- Validate all inputs
- Fail securely (don't expose error details to users)
Before submitting a PR, ensure:
- No
innerHTML,outerHTML, oreval()usage - User input is sanitized
- localStorage data is validated
- No hardcoded secrets or API keys
- Error messages don't expose sensitive info
- Security-sensitive changes have unit tests
- Dependencies are up-to-date (no known vulnerabilities)
Auditor: Claude (Sonnet 4.5) Scope: Complete codebase (6,382 lines) Findings: 28 total issues (3 Critical, 7 High, 14 Medium, 4 Low) Report: View Full Audit
Critical Findings:
- SEC-001: innerHTML XSS (10+ locations)
- SEC-002: HTML decode XSS
- SEC-003: localStorage injection
Status: All critical issues scheduled for remediation in v2.1.1
β Client-Side Only
- No server communication (except CDN for Font Awesome)
- All processing happens in browser
- No data transmission to third parties
β Local Storage Only
- Data stays on your device
- No cloud storage
- Same-origin policy protection
β No Tracking
- No analytics
- No cookies
- No user profiling
β Open Source
- Code is auditable
- Community can review for security issues
- Transparent development process
π Content Security Policy (CSP)
- Prevent inline script execution
- Whitelist allowed resources
- Report violations
π Input Sanitization
- DOMPurify library integration
- Automatic HTML sanitization
- Safe-by-default APIs
π localStorage Validation
- JSON Schema validation
- Type checking
- Integrity verification (HMAC)
π Enhanced File Upload Security
- MIME type validation
- Content scanning
- File size limits (5MB recommended)
- Fix SEC-001 (innerHTML XSS) β Top Priority
- Fix SEC-002 (HTML decode XSS)
- Fix SEC-003 (localStorage validation)
- Implement Content Security Policy (SEC-005)
- Fix btoa/atob Unicode handling (SEC-004)
- Add file upload validation (SEC-006)
- Add automated security testing (SAST)
- Penetration testing
- Bug bounty program
- Security.txt file
- Security audit by professional firm
- Advanced cryptography research
- Enhanced data integrity verification
- Use modern, updated browsers
- Clear localStorage if suspicious behavior
- Don't import files from untrusted sources
- Use incognito mode for sensitive text editing
Security Issues: [email protected] (or maintainer email) General Questions: GitHub Discussions Bug Reports: GitHub Issues (for non-security bugs)
We thank the following security researchers and contributors:
- 2025-10-27: Claude (Sonnet 4.5) - Initial comprehensive security audit (28 issues identified)
Your name could be here! Report security issues responsibly.
Last Updated: 2025-10-27 Next Audit Due: 2026-01-27 (Quarterly)
This security policy is maintained as part of our commitment to transparent, secure software development.