Avalon Code Review

ISGroup SRL performed an automated Code Review (not a real Static Analysis, more a grep-on-steroid) of this NodeJS project in order to identify potential security vulnerabilities. We do not guarantee that all the findings are valid, and for sure there are plenty of false-positives and false-negatives (undetected issues) but it's free and your project could benefit from this security analisys. The following data is also available in JSON format!

Possible Security Issues

Issue	Description	Line	File
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	35	karma/reconcile.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	59	karma/reconcile.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	93	karma/reconcile.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	136	karma/reconcile.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	29	karma/$watch.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	60	karma/$watch.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	65	karma/$watch.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	76	karma/$watch.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	47	karma/directives/if.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	52	karma/directives/if.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	80	karma/directives/if.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	85	karma/directives/if.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	113	karma/directives/if.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	117	karma/directives/if.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	122	karma/directives/if.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	60	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	80	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	113	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	130	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	168	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	175	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	197	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	203	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	226	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	231	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	234	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	279	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	288	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	312	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	336	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	359	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	394	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	401	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	408	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	440	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	444	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	448	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	472	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	524	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	530	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	568	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	611	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	636	karma/directives/for.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	56	karma/directives/class.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	77	karma/directives/effect.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	80	karma/directives/effect.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	83	karma/directives/effect.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	55	karma/directives/on.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	87	karma/directives/on.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	118	karma/directives/on.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	157	karma/directives/on.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	191	karma/directives/on.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	194	karma/directives/on.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	197	karma/directives/on.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	200	karma/directives/on.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	226	karma/directives/on.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	229	karma/directives/on.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	254	karma/directives/on.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	257	karma/directives/on.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	45	karma/directives/controller.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	62	karma/directives/controller.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	80	karma/directives/controller.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	90	karma/directives/controller.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	137	karma/directives/controller.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	144	karma/directives/controller.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	32	karma/directives/attr.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	36	karma/directives/attr.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	63	karma/directives/attr.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	94	karma/directives/attr.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	118	karma/directives/attr.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	141	karma/directives/attr.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	41	karma/directives/visible.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	47	karma/directives/visible.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	52	karma/directives/duplex.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	71	karma/directives/duplex.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	102	karma/directives/duplex.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	110	karma/directives/duplex.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	136	karma/directives/duplex.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	162	karma/directives/duplex.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	170	karma/directives/duplex.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	205	karma/directives/duplex.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	219	karma/directives/duplex.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	260	karma/directives/duplex.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	273	karma/directives/duplex.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	297	karma/directives/duplex.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	306	karma/directives/duplex.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	329	karma/directives/duplex.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	336	karma/directives/duplex.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	340	karma/directives/duplex.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	344	karma/directives/duplex.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	366	karma/directives/duplex.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	372	karma/directives/duplex.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	31	karma/directives/text.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	47	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	55	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	93	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	100	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	105	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	138	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	145	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	193	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	206	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	210	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	253	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	257	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	259	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	290	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	343	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	355	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	366	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	413	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	415	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	442	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	471	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	520	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	532	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	535	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	538	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	609	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	614	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	619	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	624	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	678	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	746	karma/directives/widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	35	karma/directives/html.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	61	karma/directives/html.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	82	karma/directives/html.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	113	karma/directives/html.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	152	karma/directives/html.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	156	karma/directives/html.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	159	karma/directives/html.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	185	karma/directives/html.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	40	karma/directives/expr.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	34	karma/directives/css.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	37	karma/directives/css.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	64	karma/directives/css.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	87	karma/directives/css.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	110	karma/directives/css.js
Server Side Injection(SSI) - new Function()	User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	77	src/dom/attr/compact.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	35	src/dom/ready/compact.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	40	src/dom/ready/compact.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	30	src/dom/ready/modern.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	101	src/vmodel/__test__.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	11	src/gesture/press.js
Server Side Injection(SSI) - setInterval()	User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	88	src/component/dispose.compact.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	54	src/component/dispose.share.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	74	src/directives/effect.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	204	src/directives/effect.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	214	src/directives/effect.js
Key Hardcoded	A hardcoded key in plain text was identified.	8	src/directives/visible.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	74	src/directives/validate.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	113	src/directives/duplex/updateModelByEvent.compact.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	155	src/directives/duplex/updateModelByEvent.compact.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	94	src/directives/duplex/updateModelByEvent.modern.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	15	src/directives/duplex/updateView.compact.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	30	src/directives/duplex/updateModelHandle.js
Server Side Injection(SSI) - setInterval()	User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	141	src/directives/duplex/compact.js
Server Side Injection(SSI) - setInterval()	User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	135	src/directives/duplex/modern.js
Key Hardcoded	A hardcoded key in plain text was identified.	28	src/strategy/text2vdom.js
Key Hardcoded	A hardcoded key in plain text was identified.	63	src/strategy/parser/parseExpr.js
Server Side Injection(SSI) - new Function()	User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	1952	dist/2.1.8.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	3086	dist/2.1.8.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	3091	dist/2.1.8.js
Key Hardcoded	A hardcoded key in plain text was identified.	3617	dist/2.1.8.js
Server Side Injection(SSI) - setInterval()	User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4155	dist/2.1.8.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4372	dist/2.1.8.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4414	dist/2.1.8.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4501	dist/2.1.8.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4654	dist/2.1.8.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4792	dist/2.1.8.js
Server Side Injection(SSI) - new Function()	User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	5587	dist/2.1.8.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	6116	dist/2.1.8.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	6247	dist/2.1.8.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	6257	dist/2.1.8.js
Key Hardcoded	A hardcoded key in plain text was identified.	6710	dist/2.1.8.js
Key Hardcoded	A hardcoded key in plain text was identified.	7330	dist/2.1.8.js
Server Side Injection(SSI) - setInterval()	User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	7560	dist/2.1.8.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	7644	dist/2.1.8.js
Server Side Injection(SSI) - new Function()	User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	2081	dist/avalon.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	3160	dist/avalon.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	3165	dist/avalon.js
Key Hardcoded	A hardcoded key in plain text was identified.	3817	dist/avalon.js
Key Hardcoded	A hardcoded key in plain text was identified.	4250	dist/avalon.js
Server Side Injection(SSI) - setInterval()	User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4894	dist/avalon.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	5036	dist/avalon.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	5078	dist/avalon.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	5169	dist/avalon.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	5320	dist/avalon.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	5459	dist/avalon.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	6686	dist/avalon.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	6816	dist/avalon.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	6826	dist/avalon.js
Key Hardcoded	A hardcoded key in plain text was identified.	7016	dist/avalon.js
Server Side Injection(SSI) - setInterval()	User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	7785	dist/avalon.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	7871	dist/avalon.js
Key Hardcoded	A hardcoded key in plain text was identified.	2251	dist/avalon.test.js
Key Hardcoded	A hardcoded key in plain text was identified.	2607	dist/avalon.test.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	3142	dist/avalon.test.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	3378	dist/avalon.test.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4605	dist/avalon.test.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4735	dist/avalon.test.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4745	dist/avalon.test.js
Key Hardcoded	A hardcoded key in plain text was identified.	4935	dist/avalon.test.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	5671	dist/avalon.test.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	7175	dist/avalon.test.js
Server Side Injection(SSI) - setInterval()	User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	7398	dist/avalon.test.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	7522	dist/avalon.test.js
Key Hardcoded	A hardcoded key in plain text was identified.	2053	dist/avalon.modern.js
Key Hardcoded	A hardcoded key in plain text was identified.	2409	dist/avalon.modern.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	2944	dist/avalon.modern.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	3180	dist/avalon.modern.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4407	dist/avalon.modern.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4537	dist/avalon.modern.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4547	dist/avalon.modern.js
Key Hardcoded	A hardcoded key in plain text was identified.	4737	dist/avalon.modern.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	5473	dist/avalon.modern.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	6977	dist/avalon.modern.js
Server Side Injection(SSI) - setInterval()	User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	7200	dist/avalon.modern.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	7324	dist/avalon.modern.js
Key Hardcoded	A hardcoded key in plain text was identified.	2054	dist/avalon.next.js
Key Hardcoded	A hardcoded key in plain text was identified.	2410	dist/avalon.next.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	2945	dist/avalon.next.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	3181	dist/avalon.next.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4408	dist/avalon.next.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4538	dist/avalon.next.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4548	dist/avalon.next.js
Key Hardcoded	A hardcoded key in plain text was identified.	4738	dist/avalon.next.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	5474	dist/avalon.next.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	6978	dist/avalon.next.js
Server Side Injection(SSI) - setInterval()	User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	7201	dist/avalon.next.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	7325	dist/avalon.next.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	157	dist/1.4.js
Server Side Injection(SSI) - new Function()	User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	2340	dist/1.4.js
Key Hardcoded	A hardcoded key in plain text was identified.	2717	dist/1.4.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	2953	dist/1.4.js
Key Hardcoded	A hardcoded key in plain text was identified.	3638	dist/1.4.js
Server Side Injection(SSI) - setInterval()	User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	3764	dist/1.4.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	3885	dist/1.4.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	3925	dist/1.4.js
Key Hardcoded	A hardcoded key in plain text was identified.	4658	dist/1.4.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4746	dist/1.4.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	5242	dist/1.4.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	5428	dist/1.4.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	5483	dist/1.4.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	5819	dist/1.4.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	5824	dist/1.4.js
Key Hardcoded	A hardcoded key in plain text was identified.	330	perf/mithril.js
Key Hardcoded	A hardcoded key in plain text was identified.	54	perf/t7.js
Server Side Injection(SSI) - new Function()	User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	420	perf/t7.js
Key Hardcoded	A hardcoded key in plain text was identified.	641	perf/t7.js
Server Side Injection(SSI) - new Function()	User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	802	perf/t7.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	11	perf/app.js

Issue	Description
Missing Security Header - X-Frame-Options (XFO)	X-Frame-Options (XFO) header provides protection against Clickjacking attacks.
Missing Security Header - Content-Security-Policy (CSP)	Content Security Policy (CSP), a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). CSP Header was not found.
Missing Security Header - Strict-Transport-Security (HSTS)	Strict-Transport-Security (HSTS) header enforces secure (HTTP over SSL/TLS) connections to the server.
Missing 'httpOnly' in Cookie	JavaScript can access Cookies if they are not marked httpOnly.
Infromation Disclosure - X-Powered-By	Remove the X-Powered-By header to prevent information gathering.
Missing Security Header - X-Content-Type-Options	X-Content-Type-Options header prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type.
Missing Security Header - X-Download-Options: noopen	X-Download-Options header set to noopen prevents IE users from directly opening and executing downloads in your site's context.
Missing Security Header - X-XSS-Protection:1	X-XSS-Protection header set to 1 enables the Cross-site scripting (XSS) filter built into most recent web browsers.
Missing Security Header - Public-Key-Pins (HPKP)	Public-Key-Pins (HPKP) ensures that certificate is Pinned.

Node.Security

Security Audit of Avalon