-
Notifications
You must be signed in to change notification settings - Fork 60
Add XSS information for Goodie instant answers. #39
Conversation
- Add question to the Goodie FAQ section. - Add questions to the developer checklist. - Include links to OWASP as an authoritative source on XSS. - Improve indentation in checklist for "sub-questions." - Slightly change text of extant Goodie FAQ. This includes the two most obvious places to attempt to get developer attention on potential XSS issues. The tutorial itself does not include an example of returning HTML, so I did not want to muddy up those waters.
(This section is still growing! Know what should go here? Then **please** [contribute to the documentation](https://github.com/duckduckgo/duckduckgo-documentation/blob/master/CONTRIBUTING.md)!) | ||
### Can Goodie instant answers include the user's query string? | ||
|
||
They probably shouldn't. There is a lot of potential for [cross-site scripting attacks](https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29) when working with user-supplied strings. While the platform attempts to mitigate these issues in pure ASCII responses, HTML responses should **never** include a raw query string. It is safest to return only data which is generated by your Goodie itself. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"probably" makes it sound like we're unsure about the situation in general. I think it should say something like:
"Yes, however they must be handled very carefully because there is a lot of potential for cross-site scripting attacks when working with user-supplied strings."
@mwmiller made a few suggested changes, otherwise LGTM. |
- Equivocate less in the FAQ answer. - Make doubly sure that they understand which sorts of strings may be dangerous in the developer_checklist. As always, big thanks to @moollaza for proof-reading and editorial assistance.
I really need to make fix my markdown handling and color scheme so I can read this more easily in the editor.. instead of pushing out nonsense like this and catching it on the page.
@moollaza With the latest couple of commits, I think your concerns are covered. I presumed that you bolded "unsanitized" in your comment for my benefit, not as something to include in the output text. The "which" clause already sort-of qualifies with which text we are concerned. Regardless, if you want bold, I know how to make that happen. 😁 |
LGTM 👍 |
Add XSS information for Goodie instant answers.
- Did you set `is_unsafe` to true? | ||
|
||
- Can this instant answer return an HTML response? | ||
- Have you guaranteed that the response does not contain unsanitized user-supplied strings (e.g. the query string) which could lead to [cross-site scripting attacks](https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29)? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome! I like this.
This includes the two most obvious places to attempt to get developer
attention on potential XSS issues. The tutorial itself does not include
an example of returning HTML, so I did not want to muddy up those
waters.
[Once this pull request is reviewed and vetted, it will resolve issue #33.]