Guidelines: contributing

[kewde]

I assume it would be good practice to make a manual of the best JavaScript security practices. (Prevent innerHTML etc) and if a PR does not comply either discuss or reject.

[kewde]

I would populate the manual with concrete code examples of vulnerable code and examples of how to mitigate it.
Most of the work goes through rigorous sanity checks (addresses, hashes, time, ..) and require less attention. But things like user specified content such as chat messages, labels (groupchats) and market data undergo nearly no sanity checks except HTML sanity checks and in some cases a very strict regex replace (only allowing for example a-z,A-Z).

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet