search

lefthandedgoat / genit

A cross-platform website generator and server using F#, Suave and PostgreSQL.
MIT License
66 stars 10 forks source link

Do something to prevent XSS #54

Open lefthandedgoat opened 8 years ago

lefthandedgoat commented 8 years ago

You can enter into the text box and it will run the js when loading the view page.

lefthandedgoat commented 8 years ago

http://wpl.codeplex.com/

jeroldhaas commented 8 years ago

that's meant as a band-aid until a proper fix can be applied to a site

lefthandedgoat commented 8 years ago

@jeroldhaas Ok good, info. I will definitely do more research before I implement something.

jeroldhaas commented 8 years ago

Perhaps I can assist. Can you provide more info on this bug? Is text entered into textboxes getting evaled?

lefthandedgoat commented 8 years ago

Basic Idea is that I know there is a lot of things about web dev that I don't know, and managing and preventing XSS is one of them, so this is a todo for me to research and implement a fix.

I did test it and put a script tag in an input box, and after saving it, it did evaluate the script tag on rendering the 'view' page.

jeroldhaas commented 8 years ago

These might be a good starting point - there are some more but their compatibility with Suave might be suspect: