This repository has been archived by the owner on Aug 30, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 24
user ui xss prevention
chris grzegorczyk edited this page Feb 13, 2013
·
2 revisions
In Eucalyptus User Console, we use context-sensitive output escaping/encoding as the main XSS prevention technique. Starting with 3.3.0, UI proxy does not do any escaping on the server-side and all untrusted output is expected to be handled safely by the client-side code. This approach allows us to use context-sensitive escaping close to the sink of data when the exact context in which it's used is known.
- Avoid using or escape untrusted data before passing it to the following jQuery methods
| after() | prependTo() |
| append() | replaceAll() |
| appendTo() | replaceWith() |
| before() | unwrap() |
| html() | wrap() |
| insertAfter() | wrapAll() |
| insertBefore() | wrapInner() |
| prepend() | $() |
- Whenever possible use text(danger) or val(danger) to display untrusted data (no escaping is required)
- Do not use untrusted data in event handler attributes like onclick, onload, onmouseover, etc.
- If have to use untrusted data in an unsafe sink, use escape() methods defined in esapi/DefaultEncoder.js to escape data depending on the context in which it's used
- Context-sensitive escaping rules from here
| Context | Escaping |
|---|---|
| HTML Element | encodeForHTML() |
| HTML Attribute | encodeForHTMLAttribute() |
| JavaScript | encodeForJavaScript() |
| HTML Style | encodeForCSS() |
| URI Attribute | encodeForURL() |
- Avoid HTML construction "by hand" and using string concatenation, use jQuery's specific setter methods (eg., attr() and val()) instead
- DON'T
$html = "<span title='" + title + ">" + str + </span>;
- DO
$html = $('<span>').attr('title', title).text(str);
- Do not put unescaped untrusted data into eucatable
- DON'T
"mDataProp": "size"
- DO
"fnRender" : function(oObj){ return DefaultEncoder().encodeForHTML(oObj.aData.description);}
- When creating an instance of the eucatable
- options.id MUST be a static string (eg., sgroup, keypair)
- options.filters MUST not come from user input, for example
filters : [{name:"snap_state", options: ['all','in-progress','completed'], text: [snap_state_selector_all, snap_state_selector_in_progress, snap_state_selector_completed], filter_col:7, alias: {'in-progress':'pending','completed':'completed'}} ]
- escape any untrusted data before passing it to one of the following methods that are known to be using HTML rendering methods
| Method |
|---|
| addNote() |
| showFieldError() |
| validateOnType() |
| notifyError() |
| notifySuccess() |
| notifyMulti() |
- escape any untrusted data when .i18n.prop() is used
- Aspect Security XSS and jQuery - the best available resource on XSS protection in code written in jQuery
- OWASP XSS Prevention Cheatsheet
- OWASP DOM based XSS Prevention Cheatsheet