| Version | Supported |
|---|---|
| 0.0.x | ✅ |
We take the security of vxui seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via email to: kbkpbot@gmail.com
Please include the following information in your report:
- Description: Clear description of the vulnerability
- Impact: What could an attacker do with this vulnerability?
- Steps to Reproduce: Detailed steps to reproduce the issue
- Affected Versions: Which versions are affected?
- Environment: OS, browser, V version
- Possible Solutions: If you have suggestions for fixes
We will acknowledge receipt of your vulnerability report within 48 hours and will send a more detailed response within 72 hours indicating the next steps in handling your report.
After the initial reply to your report, we will endeavor to keep you informed of the progress towards a fix and full announcement.
- Acknowledgment: We'll confirm receipt of your report
- Investigation: We'll investigate and validate the vulnerability
- Fix Development: We'll work on a fix
- Release: We'll release a patched version
- Disclosure: We'll publicly disclose the vulnerability (with credit to you, if desired)
When using vxui in your applications:
import vxui
fn (mut app App) handler(msg map[string]json2.Any) string {
user_input := msg['name'] or { '' }.str()
// Always escape user input!
safe_input := vxui.escape_html(user_input)
return '<div>Hello ${safe_input}</div>'
}// vxui automatically sanitizes paths, but you can also do it manually
safe_path := vxui.sanitize_path(user_provided_path) or {
return '<div>Invalid path</div>'
}All data from the frontend should be validated:
fn (mut app App) update(msg map[string]json2.Any) string {
params := msg['parameters'] or { json2.Null{} }.as_map()
// Validate required fields
if email := params['email'] {
if !vxui.is_valid_email(email.str()) {
return '<div class="error">Invalid email</div>'
}
}
// Process valid data
return '<div>Success</div>'
}vxui includes several built-in security measures:
- Path Sanitization: Prevents directory traversal attacks
- HTML Escaping: Built-in functions to prevent XSS
- Localhost Binding: WebSocket server only binds to localhost
- No External HTTP: No external network exposure
- Alpha Software: vxui is in alpha stage; security features are still being enhanced
- No CSRF Protection: Currently no built-in CSRF token system
- No Rate Limiting: Built-in rate limiting is not yet implemented
We recommend:
- Validating all user inputs
- Using HTTPS if deploying to production (when supported)
- Implementing additional rate limiting for production use
Security updates will be released as patch versions (e.g., 0.0.1 → 0.0.2).
To stay updated:
- Watch this repository on GitHub
- Check the Releases page
- Subscribe to security advisories
We thank the following individuals who have reported security issues:
(List will be updated as reports are received)
This security policy is subject to change. Please review it periodically for updates.