New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS protection #9

Open

octopusinvitro opened this issue Oct 15, 2017 · 0 comments

Contributor

octopusinvitro commented Oct 15, 2017 •

edited

Loading

See our contributing guides.

Sinatra comes with some protection out of the box, but still there are some extra things we can do:

Input validation:

At the moment we have basic native validation. Are there any relevant restrictions we can add?

Input sanitization:

Some kind of tags stripping.

Output Escaping

We could use the ERB::Util method html_escape (aliased as the shorter h) on the params received from the form before sending them to Stripe/Salesforce/etc.. See: http://ruby-doc.org/stdlib-1.9.3/libdoc/erb/rdoc/ERB/Util.html#method-c-h. Not too sure about this though, it's meant to be used more when spitting data to a view.

Setting up CSP:

Either setting the HTTP headers in Sinatra or adding a meta tag:

get '/foo' do
    headers['Content-Security-Policy'] = 'script-src none'

<meta http-equiv="Content-Security-Policy" content="script-src none">

Using HttpOnly cookies:

Are we going to use cookies on this? https://www.owasp.org/index.php/HttpOnly

Some useful guides:

The text was updated successfully, but these errors were encountered:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment