@@ -151,7 +151,8 @@ function leftPad (str, len, ch) {
151151### Functions should be as pure as possible
152152``` javascript
153153// Global variable referenced by following function.
154- // If we had another function that used this name, now it'd be an array and it could break it.
154+ // If we had another function that used this name, now it'd be an array and it
155+ // could break it.
155156let name = ' Ryan McDermott'
156157
157158function splitIntoFirstAndLastName () {
@@ -291,8 +292,49 @@ as much security review as you can on every commit, and perform routine security
291292audits.
292293
293294### XSS should not be possible
295+ Cross-site scripting (XSS), is one of the largest vectors for security attacks
296+ on a web application. It occurs when you take user data and include it in your
297+ page without first properly sanitizing it. This can cause your site to execute
298+ source code from remote pages.
299+
300+ ``` javascript
301+ function () {
302+ let badge = document .getElementsByClassName (' badge'
303+ let nameQueryParam = getQueryParams (' name'
304+
305+ /**
306+ * What if nameQueryParam was `<script>sendCookie(document.cookie)</script>`?
307+ * If that was the query param, a malicious user could lure a user to click a
308+ * link with that as the `name` query param, and have the user unknowingly
309+ * send their data to a bad actor.
310+ */
311+ badge .children [0 ].innerHTML = nameQueryParam;
312+ }
313+
314+ ```
294315
295316### Personally Identifiable Information (PII) should not leak
317+ You bear an enormous weight of responsibility every time you take in user data.
318+ If you leak data in URLs, in analytics tracking to third parties, or even expose
319+ data to employees that shouldn't have access, you greatly hurt your users and
320+ your business. Be careful with other people's lives!
321+
322+ ``` javascript
323+ router .route (' /bank-user-info' get ((req , res ) => {
324+ const name = user .name ;
325+ const id = user .id
326+ const socialSecurityNumber = user .ssn ;
327+
328+ // There's no reason to send a socialSecurityNumber back in a query parameter
329+ // This would be exposed in the URL and potentially to any middleman on the
330+ // network watching internet traffic
331+ res .addToQueryParams ({
332+ name,
333+ id,
334+ socialSecurityNumber
335+ })
336+ });
337+ ```
296338
297339## Performance
298340
@@ -387,6 +429,8 @@ assert(date1 === '1/6/2017');
387429
388430> George Bernard Shaw
389431
432+ ### TODO comments should be tracked
433+
390434### Commit messages should be clear and accurately describe new code
391435We've all written commit messages like "Changed some crap", "damn it",
392436"ugg one more to fix this stupid bug". These are funny and satisfying, but not
0 commit comments