Skip to content
This repository has been archived by the owner on Jan 10, 2019. It is now read-only.

Add XSS information for Goodie instant answers. #39

Merged
merged 3 commits into from
Mar 11, 2014
Merged

Add XSS information for Goodie instant answers. #39

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a8abab3
Add XSS information for Goodie instant answers.
mwmiller Mar 9, 2014
cd5ae82
XSS information updates.
mwmiller Mar 11, 2014
2f9182d
FAQ: fix ugly typo.
mwmiller Mar 11, 2014
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions duckduckhack/resources/faq.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,11 +81,13 @@ Sure -- check out [our partnerships page](http://help.duckduckgo.com/customer/po

## Goodie

### Can Goodie instant answers make HTTP requests?
### Can Goodie instant answers make network requests?

Sorry, but unfortunately not. You might want to consider creating a Spice instant answer if you are trying to use an API.
No. If you are trying to use an API, you should consider creating a Spice instant answer instead.

(This section is still growing! Know what should go here? Then **please** [contribute to the documentation](https://github.com/duckduckgo/duckduckgo-documentation/blob/master/CONTRIBUTING.md)!)
### Can Goodie instant answers include the user's query string?

Yes, **however** they must be handled very carefully. User-supplied strings create a lot of potential for [cross-site scripting attacks](https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29). While the platform attempts to mitigate these issues in pure ASCII responses, HTML responses should **never** include a raw query string. It is safest to return only data which is generated by your Goodie itself.

## Spice

Expand Down
9 changes: 6 additions & 3 deletions duckduckhack/submitting-your-instant-answer/developer_checklist.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,17 +13,20 @@ Before your instant answer is ready to be submitted, please go over this checkli
(Know what should go here? Then **please** [contribute to the documentation](https://github.com/duckduckgo/duckduckgo-documentation/blob/master/CONTRIBUTING.md)!)

- Can this instant answer return unsafe content (bad words, etc)
- Did you set `is_unsafe` to true?
- Did you set `is_unsafe` to true?

- Can this instant answer return an HTML response?
- Have you guaranteed that the response does not contain unsanitized user-supplied strings (e.g. the query string) which could lead to [cross-site scripting attacks](https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29)?
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome! I like this.


## Spice

(Know what should go here? Then **please** [contribute to the documentation](https://github.com/duckduckgo/duckduckgo-documentation/blob/master/CONTRIBUTING.md)!)

- Did you write any custom css?
- If so, did you namespace the css? (every instant answer has a div with id="spice_<template_name>", use that to target your styles so you don't overwrite any global styles)
- Did you namespace the css? (every instant answer has a div with id="spice_<template_name>", use that to target your styles so you don't overwrite any global styles)

- Can this instant answer return unsafe content (bad words, etc)
- Did you set `is_unsafe` to true?
- Did you set `is_unsafe` to true?

## Fathead

Expand Down