Question: DON'T apply any filters inside any scriptable contexts? #63

chiefjester · 2017-03-21T21:25:09Z

I'm not sure I follow. Can you elaborate when to use the filter? I assume filter means any method in xssFilters?

Is this warning only applies on Client-side?
Why is the example right before the warning applying filters inside a scritable context / <script>

<script>
var firstname = "..."; //an untrusted input collected from user
document.write('<h1> Hello, ' + xssFilters.inHTMLData(firstname) + '!</h1>')
</script>

The text was updated successfully, but these errors were encountered:

adon-at-work · 2017-03-21T21:40:39Z

good question. let's take a look at two vuln examples of what we want dev to avoid:

// assume you're using express at server-side
res.send('<a onclick="func(' + xssFilters.inDoubleQuotedAttr(untrusted) + ')">bomb</a>')

// assume on client-side
document.write('<a onclick="func(' + xssFilters.inDoubleQuotedAttr(untrusted) + ')">bomb</a>')

will that help better explain what scriptable context means?

chiefjester · 2017-03-21T22:07:52Z

thank you for the quick response!

chiefjester changed the title ~~Question: DON'T apply any filters inside any scriptable contexts~~ Question: DON'T apply any filters inside any scriptable contexts? Mar 21, 2017

chiefjester closed this as completed Mar 21, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Question: DON'T apply any filters inside any scriptable contexts? #63

Question: DON'T apply any filters inside any scriptable contexts? #63

chiefjester commented Mar 21, 2017

adon-at-work commented Mar 21, 2017

chiefjester commented Mar 21, 2017

Question: DON'T apply any filters inside any scriptable contexts? #63

Question: DON'T apply any filters inside any scriptable contexts? #63

Comments

chiefjester commented Mar 21, 2017

adon-at-work commented Mar 21, 2017

chiefjester commented Mar 21, 2017