Framework7 Code Review

ISGroup SRL performed an automated Code Review (not a real Static Analysis, more a grep-on-steroid) of this NodeJS project in order to identify potential security vulnerabilities. We do not guarantee that all the findings are valid, and for sure there are plenty of false-positives and false-negatives (undetected issues) but it's free and your project could benefit from this security analisys. The following data is also available in JSON format!

Possible Security Issues

Issue	Description	Line	File
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	83	kitchen-sink-ios/js/kitchen-sink.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	89	kitchen-sink-ios/js/kitchen-sink.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	95	kitchen-sink-ios/js/kitchen-sink.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	226	kitchen-sink-ios/js/kitchen-sink.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	249	kitchen-sink-ios/js/kitchen-sink.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	741	kitchen-sink-ios/js/kitchen-sink.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	763	kitchen-sink-ios/js/kitchen-sink.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	780	kitchen-sink-ios/js/kitchen-sink.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	788	kitchen-sink-ios/js/kitchen-sink.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	100	src/js/notifications.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	115	src/js/fast-clicks.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	180	src/js/fast-clicks.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	194	src/js/fast-clicks.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	198	src/js/fast-clicks.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	219	src/js/fast-clicks.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	235	src/js/fast-clicks.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	268	src/js/fast-clicks.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	327	src/js/fast-clicks.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	390	src/js/fast-clicks.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	409	src/js/fast-clicks.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	502	src/js/fast-clicks.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	507	src/js/fast-clicks.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	163	src/js/dom7-utils.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	225	src/js/searchbar.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	246	src/js/searchbar.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	268	src/js/searchbar.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	27	src/js/push-state.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	536	src/js/swiper.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	1307	src/js/swiper.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	1319	src/js/swiper.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	1593	src/js/swiper.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	1609	src/js/swiper.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	2748	src/js/swiper.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	2859	src/js/swiper.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	632	src/js/photo-browser.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	312	src/js/calendar.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	365	src/js/swipeout.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	88	src/js/messagebar.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	114	src/js/dom7-ajax.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	253	src/js/dom7-ajax.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	549	src/js/router.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	559	src/js/router.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	701	src/js/router.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	8	src/js/resize.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	352	src/js/picker.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	25	src/js/forms-textarea.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	1258	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	1279	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	1301	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	1572	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	2585	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	2595	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	2737	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4998	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	6845	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	6910	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	6924	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	6928	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	6949	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	6965	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	6998	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	7057	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	7120	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	7139	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	7232	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	7237	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	7616	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	7863	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	7987	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	8757	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	9768	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	10337	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	11123	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	12255	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	12394	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	12586	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	13844	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	14615	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	14627	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	14901	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	14917	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	16056	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	16167	dist/js/framework7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	15	dist/js/framework7.min.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	16	dist/js/framework7.min.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	17	dist/js/framework7.min.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	18	dist/js/framework7.min.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	19	dist/js/framework7.min.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	20	dist/js/framework7.min.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	21	dist/js/framework7.min.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	22	dist/js/framework7.min.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	23	dist/js/framework7.min.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	81	kitchen-sink-material/js/kitchen-sink.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	87	kitchen-sink-material/js/kitchen-sink.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	93	kitchen-sink-material/js/kitchen-sink.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	230	kitchen-sink-material/js/kitchen-sink.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	254	kitchen-sink-material/js/kitchen-sink.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	762	kitchen-sink-material/js/kitchen-sink.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	784	kitchen-sink-material/js/kitchen-sink.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	800	kitchen-sink-material/js/kitchen-sink.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	808	kitchen-sink-material/js/kitchen-sink.js

Issue	Description
Missing Security Header - X-Frame-Options (XFO)	X-Frame-Options (XFO) header provides protection against Clickjacking attacks.
Missing Security Header - Content-Security-Policy (CSP)	Content Security Policy (CSP), a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). CSP Header was not found.
Missing Security Header - Strict-Transport-Security (HSTS)	Strict-Transport-Security (HSTS) header enforces secure (HTTP over SSL/TLS) connections to the server.
Missing 'httpOnly' in Cookie	JavaScript can access Cookies if they are not marked httpOnly.
Infromation Disclosure - X-Powered-By	Remove the X-Powered-By header to prevent information gathering.
Missing Security Header - X-Content-Type-Options	X-Content-Type-Options header prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type.
Missing Security Header - X-Download-Options: noopen	X-Download-Options header set to noopen prevents IE users from directly opening and executing downloads in your site's context.
Missing Security Header - X-XSS-Protection:1	X-XSS-Protection header set to 1 enables the Cross-site scripting (XSS) filter built into most recent web browsers.
Missing Security Header - Public-Key-Pins (HPKP)	Public-Key-Pins (HPKP) ensures that certificate is Pinned.

Node.Security

Security Audit of Framework7