Security
by design

Name: Arcadia Controls
Author: Arcadia Controls

Arcadia Controls is built on Blazor's secure-by-default architecture. No raw HTML injection, no eval(), no third-party C# dependencies in Core. Here is how we protect your application.

Built-in XSS Protection

Blazor's Razor engine HTML-encodes all output by default, eliminating the most common class of web vulnerabilities. Arcadia Controls never bypasses this protection.

✓ No use of MarkupString or raw HTML rendering in component output
✓ DataGrid export uses HtmlEncode and SecurityElement.Escape for all user-supplied values
✓ All chart rendering is pure server-side SVG generated in C# -- no client-side HTML injection

Zero Third-Party C# Dependencies

Arcadia.Core has zero third-party NuGet dependencies. The only runtime dependency is Microsoft.AspNetCore.Components, matched per target framework. This eliminates transitive dependency vulnerabilities entirely for the core library.

✓ Central package management via Directory.Packages.props ensures version consistency
✓ JavaScript is used only where Blazor cannot natively operate (clipboard, resize observers, drag-and-drop)
✓ No CDN dependencies at runtime -- all assets are bundled in the NuGet package

JS Interop Security

Where JavaScript is required, we follow strict isolation patterns to minimize attack surface.

✓ All JS modules use isolated IJSObjectReference -- no global scope pollution
✓ No use of eval() or new Function() anywhere in the codebase
✓ 86 JS interop call sites across 20 components, all using typed InvokeAsync<T> with explicit return types
✓ Proper IAsyncDisposable on all interop components (41 disposal sites) to prevent memory leaks

Input Validation

Every data entry point in Arcadia Controls supports validation to prevent malformed or malicious input from reaching your application logic.

✓ DataGrid inline editing includes per-column Validator delegates with live validation as the user types
✓ FormBuilder supports IFieldValidator and IAsyncFieldValidator for synchronous and async cross-field validation
✓ Schema-driven validation rules ensure consistent enforcement across server and client render modes

Accessibility as a Security Layer

WCAG 2.1 AA compliance is not just about inclusivity -- it is a security practice. Proper focus management prevents UI spoofing and clickjacking attacks.

✓ Dedicated FocusTrap component prevents focus escaping modal dialogs
✓ All interactive components support full keyboard navigation
✓ ARIA attributes are programmatically enforced, not optional

Supply Chain Integrity

We apply defense-in-depth to the build and distribution pipeline to prevent supply chain attacks.

✓ C# nullable reference types enabled with TreatWarningsAsErrors -- type safety is enforced at compile time
✓ Roslyn analyzers (Microsoft.CodeAnalysis.Analyzers) at latest-recommended analysis level
✓ No CDN dependencies at runtime -- all JavaScript ships inside the NuGet package as static web assets
✓ Multi-target build (.NET 5 through .NET 10) validated in CI against all supported frameworks

Data Handling

Arcadia Controls components never transmit your data externally. Your data stays in your application.

✓ No analytics, telemetry, or tracking in any component package
✓ No outbound network calls from component code
✓ State persistence (where applicable) uses browser localStorage under user control
✓ Components are render-mode agnostic -- the same security guarantees apply in Server, WASM, and Auto modes

Disposal and Memory Safety

Improper resource disposal leads to memory leaks and potential denial-of-service in long-running Blazor Server applications. Arcadia Controls handles this systematically.

✓ IAsyncDisposable implemented on every component with JS interop
✓ JSDisconnectedException handling for graceful Blazor Server circuit disconnect
✓ Shared ArcadiaInteropBase base class enforces consistent disposal across all components

Automated Testing

Every commit is validated by our CI pipeline. Security regressions are caught before they reach a release.

✓ 1,400+ automated unit tests with bUnit
✓ End-to-end tests with Playwright covering real browser interactions
✓ CI pipeline validates every commit across all supported .NET target frameworks
✓ NUnit analyzers enforce test quality standards

Vulnerability Reporting

We take responsible disclosure seriously. If you discover a security vulnerability in Arcadia Controls, please report it privately.

Email: security@arcadiaui.com

Response time: We acknowledge reports within 48 hours and provide a resolution timeline within 5 business days.

Scope: All Arcadia NuGet packages (Arcadia.Core, Arcadia.Charts, Arcadia.DataGrid, Arcadia.FormBuilder, Arcadia.DashboardKit, Arcadia.Notifications, Arcadia.Theme).

Questions about our security posture?

Enterprise customers can request a detailed security questionnaire response. Contact our team for more information.

Contact Security Team View Documentation

Security by design