You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
At the moment there are several issues when it comes to form data submission. Some can be easily solved client-side, while others need more consideration on the server. Specifically these two instances come to mind:
Validation codes
This is specifically for recovery and email validation codes. When the user copies codes out from an email, they might contain leading or trailing white-space. This is not a major issue and can be handled client-side, although in that case @ory/elements should probably do that by default instead of putting that burden on the developer.
Traits
This one is harder to handle client-side only. If you have a required trait right now, something like "nickname" and you require in the schema that the min length of it is 3 characters, a malicious user can just submit three spaces (or other white-space characters), which might be undesirable. While for honest users this can be mitigated by just trimming all traits on the client side, this does not stop a malicious actor of calling the API directly.
While the Kratos documentation talks about sanitization in the schema section, this is really just about validation. The only way right now to work around this issue is to a) trim inputs on the client side and b) apply the following pattern regexp to all traits:
^(?!\s)(.*)(?<!\s)$
In summary it'd be a good idea to always trim all input before entering the validation phase. Alternatively an extension could be added to the JSON schema to enable trimming on a case-by-case basis. In that case validation codes and such which, by nature, do not contain white-space, should always be trimmed.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
At the moment there are several issues when it comes to form data submission. Some can be easily solved client-side, while others need more consideration on the server. Specifically these two instances come to mind:
Validation codes
This is specifically for recovery and email validation codes. When the user copies codes out from an email, they might contain leading or trailing white-space. This is not a major issue and can be handled client-side, although in that case
@ory/elementsshould probably do that by default instead of putting that burden on the developer.Traits
This one is harder to handle client-side only. If you have a required trait right now, something like "nickname" and you require in the schema that the min length of it is 3 characters, a malicious user can just submit three spaces (or other white-space characters), which might be undesirable. While for honest users this can be mitigated by just trimming all traits on the client side, this does not stop a malicious actor of calling the API directly.
While the Kratos documentation talks about sanitization in the schema section, this is really just about validation. The only way right now to work around this issue is to a) trim inputs on the client side and b) apply the following pattern regexp to all traits:
^(?!\s)(.*)(?<!\s)$In summary it'd be a good idea to always trim all input before entering the validation phase. Alternatively an extension could be added to the JSON schema to enable trimming on a case-by-case basis. In that case validation codes and such which, by nature, do not contain white-space, should always be trimmed.
Beta Was this translation helpful? Give feedback.
All reactions