[CLOSED] Tips on preventing Cross Site Scripting (XSS)

  1. #1

    [CLOSED] Tips on preventing Cross Site Scripting (XSS)



    Is there anything built in to the Coolite framework that can help prevent Cross Site Scripting (XSS) attacks?

    i.e. At the moment, if I add a record to my system, and type the following in to a text box:

    "<script>alert()</script>"

    And save the record, and reload the screen that displays the record in a GridPanel, the whole screen doesn't render.

    Also if "<p>Test</p>" is typed in, when rendered to a GridPanel it displays "Test" (i.e. the "<p></p>" part is rendered as HTML.

    What would be your recommendation to prevent this from occurring - either encode the HTML upon saving, or when displaying data?

    Any hints/tips from previous experiences would be useful.
  2. #2

    RE: [CLOSED] Tips on preventing Cross Site Scripting (XSS)

    Hi,

    Try to set AutoEncode="true" for GridPanel. Has this helped?
  3. #3

    RE: [CLOSED] Tips on preventing Cross Site Scripting (XSS)



    I've tried that, but it doesn't make any difference. I think the problem resides at the Store level, because this is where the data is coming from. When I view the source of the page:

    Ext.onReady(function(){this.storeUsers_Data=[{"UserID":41,"UserName":"<script>alert()</script>",".....
    I think because there are "<script>" or other HTML tags in here, it doesn't always render the page correctly.

    There doesn't appear to be an AutoEncode property on the Store object.

    I know users aren't likely to enter "<script>" tags as real data, but I still need to be able to secure the application as best as possible, whilst still maintaining flexibility in the data they can enter (i.e. still allowing them to enter "<" or ">" tags).

    Thanks.
  4. #4

    RE: [CLOSED] Tips on preventing Cross Site Scripting (XSS)

    Hi danielg,

    The html/script scrubbing is best done on the server. There are options client-side for encoding, but they should *never* be relied upon to prevent an XSS issue. Client-side encoding is also going to impose a performance penalty, and the process would need to be performed server-side again anyways.


    The data coming from the server could be encoded client-side, but again, data being sent to the server should be "cleaned".


    Hope this helps.


    Geoffrey McGill
    Founder
  5. #5

    RE: [CLOSED] Tips on preventing Cross Site Scripting (XSS)

    Hi,

    AutoEncode encodes text from user input only (encode and decode values pre and post edit†). For example, if user input "<script>alert('');</script>" then on server side you will get†"&amp;lt;script&amp;gt;alert('');&amp;lt;/script&amp;gt;"


    AutoEncode prevents sending unencoding data from client to the server (Of course, it is not 100% guarantee, because a†violator can build request as he needs therefore you must check data on server always). So, if you have unencoded data already†in your DB††then you should encode it manually before render to the client.
  6. #6

    RE: [CLOSED] Tips on preventing Cross Site Scripting (XSS)



    Thanks for the useful info, Vladimir and Geoffrey.

    I'll probably use the Server.HtmlEncode method when saving data back to the database. When this is rendered in a GridPanel from a Store, this seems to display fine.

    Many thanks.

Similar Threads

  1. [RAZOR] How to add tips to chart
    By Natalie in forum 2.x Help
    Replies: 0
    Last Post: May 15, 2012, 3:20 PM
  2. [CLOSED] Preventing grid rows from expanding
    By peter.campbell in forum 1.x Legacy Premium Help
    Replies: 2
    Last Post: Jan 26, 2012, 1:36 PM
  3. [CLOSED] Preventing user input
    By SymSure in forum 1.x Legacy Premium Help
    Replies: 2
    Last Post: Mar 07, 2011, 1:38 PM
  4. [CLOSED] Tips in Regions not working
    By randy85253 in forum 1.x Legacy Premium Help
    Replies: 3
    Last Post: Apr 04, 2010, 1:51 PM
  5. to cross a TreePanel
    By miguelp120 in forum 1.x Help
    Replies: 0
    Last Post: Jan 27, 2010, 5:16 PM

Posting Permissions