| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |
We take security seriously in Wang Language, especially given its use in browser automation contexts.
Please report security vulnerabilities by:
- Email: Send details to security@wang-lang.dev (once available)
- GitHub: Open a security advisory in the Security tab
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- We aim to acknowledge receipt within 48 hours
- We'll provide an initial assessment within 1 week
- We'll work on a fix and coordinate disclosure
Wang is designed to be CSP-safe and runs without:
eval()new Function()- Dynamic code generation
This makes it inherently safer for use in restricted environments like Chrome service workers.
When using Wang:
- Never execute untrusted code - Always validate and sanitize user input
- Limit function bindings - Only bind necessary functions to the interpreter
- Use module isolation - Keep sensitive operations in separate modules
- Validate module sources - Ensure modules come from trusted sources
- Apply principle of least privilege - Give minimum necessary permissions
- ✅ CSP-safe execution (no eval/new Function)
- ✅ Sandboxed execution context
- ✅ Module isolation
- ✅ No access to global scope by default
- ✅ Controlled function binding
We appreciate responsible disclosure and will acknowledge security researchers who help improve Wang's security.