I have questions on preventing XSS attacks.
1) Question:
I have an HTML template as Javascript string (trusted) and insert content coming from a server request (untrusted). I replace placeholders within that HTML template strings with that untrusted content and output it to the DOM using innerHTML/Text.
In particular I insert texts that I output in <div> and <p> tags that are already present in the template HTML string and form element values, i.e. texts in input tag's value attribute, select option and textarea tags.
Do I understand correctly that I can treat every inserted text mentioned above as HTML subcontext thus I only encode like so: encodeForJavascript( encodeForHTML( inserted_text ) ). Or do I have to encode the texts that I insert into value attributes of the input fields for the HTML Attribute subcontext?
After reading up on this issue on OWASP I am inclined to think that latter is only necessary in case I set the attribute with unstrusted content via Javascript like so: document.forms[ 0 ].elements[ 0 ].value = encodeForHTMLAttribute, is that correct?
2) Question:
What is the added value of server side encoding server responses that enter the client side via Ajax and get handled anyway (like in question 1). In addition, don't we risk problems when double encoding the content?
Thanks
You need to encode for the context in question, so to data inserted into html context needs to be encoded for html, and data inserted into html attributes, should be html attribute encoded. This is addition to the javascript encoding you mentioned.
I would javascript encode for transfer and then encode for the correct context client side, where I know which context is the right one.
Related
Ok, so I'm maintaining a legacy code where they are creating html on the backend side (a form) and in the action tag they are appending the value of the URL to make a redirect. There are no input of type texts anywhere to sanitize. The url comes from the request, they have an event handler to check if that is a redirect, etc.
Burp scan indicates that you can (of course) escape the Url and put a JavaScript event in it.
So the idea is to how can I detect if the Url has a JavaScript event, because this is already on an html we are sending I cant html encode it, because is not a text we are saving but a page they are showing.
How can I check if the string (which is the Url ) has JavaScript event escaped in it?.
What I tried is to ask if in the Url there is ' (the escape) but I yet to know if the url can contain such symbol, so it seems I have to analyze if we are seeing a JS Event.
So the url looks something like this: /Something/TheSession/123'onmouseover%3d'alert(1)'456
And then they are appending that url here on a stringbuilder:
sb.Append("<html><body><form name='Redirect' method='post' action='")
sb.Append(request.Url.PathAndQuery)
I already read some references like portswigger about XSS but in the Reflected XSS Script the example is in html tags which would be easier to check.
On my lotus domino web application, I have customized search form where user can enter criteria (around 10 criteria ) is there, now what I would like to do is that I would like to throw the result to another page/form using html.
But my concern is that I would like to access div elements on the output form/page and I am not sure if I can do it Web query save agent of search form.
Basically what I wanted to do is I will compose html in the WQS agent and assign that HTML to div of the output search form. but I am not sure how to access div element of the another form using WQS agent of the current form.
I can display result in the same form but question would remain again how to access div element in the WQS agent of Lotusscript.
using document context we can access the field of the currrent document submitted but not sure about div element.
Please asssist
You could use some REST here. Basically submit the search form to a REST service, collect the results and render them as needed.
In short, all you can do in a WQS is to spit out a stream of text (which may or may not be HTML) from the server to the browser. So I think you have a couple of options:
In your template HTML, add a placeholder where your <div> is and do a replace() (replace the placeholder with the HTML you want to appear in that div) before sending out the HTML to the browser, or
Output enough JavaScript and/or JQuery and/or whatever so that the div is updated by the client after the document is loaded. Of course there's no guarantee that will happen though.
Another approach is just to create a Notes document with computed fields and/or computed text. In this case you don't think of updating the "div" as updating an HTML div, you're updating computed text on a Notes form. When you return the document to the browser as a document instead of messing with a WQS agent.
I suppose your WQS agent could also potentially send out just JavaScript to update another page, but to me that smacks of a cross-site scripting attack.
Is there any HTML sanitizer or cleanup methods available in any JSF utilities kit or libraries like PrimeFaces/OmniFaces?
I need to sanitize HTML input by user via p:editor and display safe HTML output using escape="true", following the stackexchange style. Before displaying the HTML I'm thinking to store sanitized input data to the database, so that it is ready to safe use with escape="true" and XSS is not a danger.
In order to achieve that, you basically need a standalone HTML parser. HTML parsing is rather complex and the task and responsibility of that is beyond the scope of JSF, PrimeFaces and OmniFaces. You're supposed to just grab one of the many existing HTML parsing libraries.
An example is Jsoup, it has even a separate method for the particular purpose of sanitizing HTML against a Safelist: Jsoup#clean(). For example, if you want to allow some basic HTML without images, use Safelist.basic():
String sanitizedHtml = Jsoup.clean(rawHtml, Safelist.basic());
A completely different alternative is to use a specific text formatting syntax, such as Markdown (which is also used here). Basically all of those parsers also sanitize HTML under the covers. An example is CommonMark. Perhaps this is what you actually meant when you said "stackexchange style".
As to saving in DB, you'd better save both the raw and parsed forms in 2 separate text columns. The raw form should be redisplayed during editing. The parsed form should be updated in background when the raw form has been edited. During display, obviously only show the parsed form with escape="false".
See also:
Markdown or HTML
Is there any HTML sanitizer or cleanup methods available in any JSF utilities kit or libraries like PrimeFaces/OmniFaces?
I need to sanitize HTML input by user via p:editor and display safe HTML output using escape="true", following the stackexchange style. Before displaying the HTML I'm thinking to store sanitized input data to the database, so that it is ready to safe use with escape="true" and XSS is not a danger.
In order to achieve that, you basically need a standalone HTML parser. HTML parsing is rather complex and the task and responsibility of that is beyond the scope of JSF, PrimeFaces and OmniFaces. You're supposed to just grab one of the many existing HTML parsing libraries.
An example is Jsoup, it has even a separate method for the particular purpose of sanitizing HTML against a Safelist: Jsoup#clean(). For example, if you want to allow some basic HTML without images, use Safelist.basic():
String sanitizedHtml = Jsoup.clean(rawHtml, Safelist.basic());
A completely different alternative is to use a specific text formatting syntax, such as Markdown (which is also used here). Basically all of those parsers also sanitize HTML under the covers. An example is CommonMark. Perhaps this is what you actually meant when you said "stackexchange style".
As to saving in DB, you'd better save both the raw and parsed forms in 2 separate text columns. The raw form should be redisplayed during editing. The parsed form should be updated in background when the raw form has been edited. During display, obviously only show the parsed form with escape="false".
See also:
Markdown or HTML
I have problem with matching response text on xml page on capybara.
When I use page.should(have_content(arg1)) capybara raises error that there is no \html element (there shouldn't be as it's xml).
When I use page.should(have_xpath(arg1)) it raises Element at 40 no longer present in the DOM (Capybara::Webkit::NodeNotAttachedError)
What is the correct way to test xml ?
When using capybara-webkit, the driver will try to use a browser's HTML DOM to look for elements. That doesn't work, because you don't have an HTML document.
One workaround is to fall back to Capybara's string implementation:
xml = Capybara.string(page.body)
expect(xml).to have_xpath(arg1)
expect(xml).to have_content(arg1)
Assuming your page returns a content type of text/xml, capybara-webkit won't mess with the response body at all, so you can pass it through to Capybara.string (or directly to Nokogiri if you like).