SurveyJS Vulnerability Management Policy
Updated: 8/25/2025
Current version: 2.3.3
Purpose
The purpose of this policy is to define how SurveyJS identifies, evaluates, mitigates, and manages software vulnerabilities in its client-side JavaScript products. The policy ensures that potential security risks are addressed systematically to protect users, maintain software integrity, and provide guidance for secure integration with server-side components.
Scope
This policy applies to all SurveyJS products, including:
| Product | Repository |
|---|---|
| Form Library | survey-library |
| Survey Creator | survey-creator |
| Dashboard | survey-analytics |
| PDF Generator | survey-pdf |
It covers vulnerabilities arising in client-side code, as well as risks related to user-generated content, and API interactions.
This policy is reviewed annually or when significant changes are introduced. To report a security issue, please email us at info@devsoftbaltic.com or contact us through the Help Desk.
Current Vulnerability Management Practices
Client-Side Security
SurveyJS executes solely on the client side, where code runs in the user’s browser. Because client-side code cannot inherently prevent malicious actions, SurveyJS focuses on providing guidance and tools for secure usage rather than enforcing server-side protections. Built-in data validation is provided for user inputs to ensure answers conform to expected formats. However, features such as HTML questions or Markdown content do not automatically sanitize input. To mitigate risks, developers can use the following hooks:
survey.onTextMarkdown – allows sanitization of Markdown content before rendering.
survey.onProcessHtml – allows sanitization of HTML content before rendering.
Server-Side Integration Recommendations
SurveyJS relies on secure server-side handling for critical data validation and sanitization. We recommend that developers:
Validate all API calls from the client before processing.
Sanitize survey responses, layout definitions, and any user-generated content before storing or rendering on the server.
Implement protections against XSS (Cross-Site Scripting), CSRF (Cross-Site Request Forgery), and SQL injection when processing SurveyJS data server-side.
Security Bug Handling
Currently, SurveyJS addresses security vulnerabilities reactively, fixing bugs as they are discovered. These fixes are tracked via GitHub Issues, reviewed, and deployed following the standard development and CI/CD workflow. All fixes undergo the usual automated testing, including unit, functional, and integration tests.
Future Enhancements
To strengthen vulnerability management, SurveyJS plans to:
Develop a proactive security testing framework for client-side components, including automated tests for XSS, injection, and other common web vulnerabilities.
Maintain a consolidated list of recommendations and best practices for developers integrating SurveyJS with backend systems.
Incorporate security-focused peer reviews and CI/CD checks as part of the development workflow to catch potential vulnerabilities earlier in the SDLC.
Reporting and Escalation
Security issues discovered by internal developers or reported externally are logged as GitHub Issues and tracked until resolution. Critical vulnerabilities are prioritized, and fixes are deployed promptly following the standard weekly release management process.
Communication to Clients
SurveyJS maintains transparent communication regarding security issues and their resolution. Clients and users reporting vulnerabilities are acknowledged promptly, and updates are provided on progress and resolution. For publicly relevant security issues or patches, Release Notes and Documentation will include guidance on mitigating risks, secure usage recommendations, and any required updates.