Skip to content

Releases: linagora/lasso.js

Security improvements

02 Jan 17:45
@guimard guimard
v0.2.0
09cdd04

Choose a tag to compare

View all tags
Security improvements Latest
Latest

Security

  • CSRF Protection: Added nonce-based state validation with round-trip via RelayState
  • XSS Prevention: HTML escaping in all POST binding forms (escapeHtml())
  • Open Redirect Prevention: URL validation blocks absolute URLs by default (isValidRedirectUrl())
  • XXE Protection: Disabled external entity loading in libxml2 _(xmlSubstituteEntitiesDefault(0))
  • Session Fixation: Session regeneration after successful authentication
  • Path Traversal Prevention: Improved validation using path.relative() and isAbsolute()
  • Memory Safety: Use explicit_bzero() for secure erasure of private keys (POSIX/Windows)
  • Input Validation: Metadata size limit (10 MB) to prevent DoS
  • Error Handling: Throw errors on session/identity restoration failure instead of silent fallback
Assets 2
Loading