We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
We take the security of VIOVNL.Flowy.Blazor seriously. If you believe you have found a security vulnerability, please report it to us as described below.
- Do not open a public GitHub issue for security vulnerabilities
- Do not disclose the vulnerability publicly until we've had a chance to address it
Please report security vulnerabilities by emailing: hi@viov.nl
Include the following information in your report:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Suggested fix (if you have one)
- Your contact information for follow-up
After you submit a report, we will:
- Acknowledge receipt within 48 hours
- Provide an initial assessment within 5 business days
- Keep you informed of our progress
- Notify you when the vulnerability is fixed
- Credit you in the security advisory (if you wish)
- We will respond to your report promptly
- We will work with you to understand and validate the issue
- We will keep you informed of our progress
- We will credit you for the discovery (unless you prefer to remain anonymous)
When we receive a security bug report, we will:
- Confirm the problem and determine affected versions
- Audit code to find any similar problems
- Prepare fixes for all supported versions
- Release new versions as soon as possible
- Publish a security advisory on GitHub
To ensure the security of your application using VIOVNL.Flowy.Blazor:
Always use the latest version of the component:
dotnet add package VIOVNL.Flowy.BlazorValidate all user input before passing to the component:
// Validate node names
if (string.IsNullOrWhiteSpace(nodeName) || nodeName.Length > 100)
{
// Handle invalid input
}
// Sanitize user-provided HTML content
var sanitizedContent = HtmlSanitizer.Sanitize(userContent);Implement proper authorization for tree operations:
private async Task HandleNodeDropped(FlowyNodeDroppedEventArgs args)
{
// Check user permissions before allowing operation
if (!await _authService.CanModifyTree(CurrentUser))
{
// Reject operation
return;
}
// Process the operation
}Use validation callbacks to enforce business rules:
<FlowyCanvasEditor
OnValidateDropTarget="ValidateDropTarget"
... />
private Task ValidateDropTarget(FlowyValidationEventArgs args)
{
// Implement your validation logic
if (args.Node.Type == "restricted" && args.TargetNode?.Type == "public")
{
args.IsValid = false;
args.ValidationMessage = "Restricted nodes cannot be placed under public nodes";
}
return Task.CompletedTask;
}Validate JSON before importing:
try
{
var data = JsonSerializer.Deserialize<FlowyTreeData>(json);
// Validate structure
if (data == null || data.Nodes.Count > 1000)
{
throw new InvalidOperationException("Invalid tree data");
}
await canvasEditor.ImportJson(json);
}
catch (JsonException ex)
{
// Handle invalid JSON
}Configure CSP headers for your Blazor application to prevent XSS attacks:
<meta http-equiv="Content-Security-Policy"
content="default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';">The component maintains tree state on the client. Sensitive data should not be stored in the tree structure without additional encryption or server-side validation.
The component uses JavaScript interop for rendering. Ensure you're using a trusted environment and keep your browser updated.
If you pass user-generated content via RenderFragment, ensure it's properly sanitized to prevent XSS attacks.
Security advisories will be published at:
- GitHub Security Advisories: https://github.com/VIOVNL/Flowy.Blazor/security/advisories
- NuGet package page: https://www.nuget.org/packages/VIOVNL.Flowy.Blazor
If you have questions about this security policy, please email hi@viov.nl