Improve Input Validation and output Sanitization.

[sveeke]

threatLevel="Low" type="User input validation"

The current implementation of input validation and output sanitization of the application removes tags such as <script>bla</script> but allows dangerous characters such as < > " ' / when there is a leading space: < script>bla< /script>.

A leading space does not result in a valid XSS but it is recommended to strip dangerous characters and escape them properly to decrease the attack vector.

Example request that contains the dangerous characters:

POST /v1/issuer/issuers HTTP/1.1
Host: badgr-dev2.edubadges.nl
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Token f58408e93d4a503f9e66f9103775a3c104bf8189
Content-Type: application/json
Referer: https://surf-dev2.edubadges.nl/issuer/create
Content-Length: 146
Origin: https://surf-dev2.edubadges.nl
Connection: close

{"name":" <  >  \"  '  / ","description":"fff\n <  >  \"  '  / ","email":"[email protected]","url":"https://www.edubadges.nl"}

Response:

POST /v1/issuer/issuers HTTP/1.1
Host: badgr-dev2.edubadges.nl
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Token f58408e93d4a503f9e66f9103775a3c104bf8189
Content-Type: application/json
Referer: https://surf-dev2.edubadges.nl/issuer/create
Content-Length: 146
Origin: https://surf-dev2.edubadges.nl
Connection: close

{"name":" <  >  \"  '  / ","description":"fff\n <  >  \"  '  / ","email":"[email protected]","url":"https://www.edubadges.nl"}

impact:
Not validating the user input could result in issues such as XSS.

recommendation:
Filter all client-provided input parameters, and escape all output
Make use of a whitelist, and prevent certain characters from being inserted if it's not necessary for the working of the application.