gimmi
commented
11 years ago Sorry I'm a little ignorant about the topic.
What part/feature of the library you think can be subject to XSS vulnerability?
Open bentoo opened 11 years ago
gimmi
commented
11 years ago Sorry I'm a little ignorant about the topic.
What part/feature of the library you think can be subject to XSS vulnerability?
bentoo
commented
11 years ago The server side is responsible for validating the request to prevent XSS.
Example library that supports validating the request:
Here is an example of XSS:
If a web application uses your library, an end user can submit
In ASP.NET Form submission, if you submitted , you get an Error "Possible script detected"
Using your library currently, this doesn't happen.
bentoo
commented
11 years ago I cannot even include the example script injection attacks into this post because Github strips possible scripts from the html submission.
This is what should be done with your library as well.
I'm working on adding that to my project which uses your library.
gimmi
commented
11 years ago All the messages in ExtDirectHandler are JSON encoded, and ExtDirectHandler never try to encode/decode JSON by itself but rely instead on JSON.NET library.
I suppose that the only way to "push" javascript code on the client page is to exploit a bug in JSON.NET.
PS: JSON.NET library has not been updated for a while, i can update it to the latest version if they maintained backward compatibility.
bentoo
commented
11 years ago I don't think simply JSON encoding the request is sufficient. You need to also scrub the request on the server side.
bentoo
commented
11 years ago You need to scrub the request after it has been decoded on the server side.
How can we add XSS (Cross Site Scripting) prevention to this library?