Skip to content
This repository has been archived by the owner on Aug 30, 2024. It is now read-only.

user ui xss prevention

chris grzegorczyk edited this page Feb 13, 2013 · 2 revisions

Table of Contents

Overview

In Eucalyptus User Console, we use context-sensitive output escaping/encoding as the main XSS prevention technique. Starting with 3.3.0, UI proxy does not do any escaping on the server-side and all untrusted output is expected to be handled safely by the client-side code. This approach allows us to use context-sensitive escaping close to the sink of data when the exact context in which it's used is known.

Guidelines

jQuery specific

  • Avoid using or escape untrusted data before passing it to the following jQuery methods
after() prependTo()
append() replaceAll()
appendTo() replaceWith()
before() unwrap()
html() wrap()
insertAfter() wrapAll()
insertBefore() wrapInner()
prepend() $()
  • Whenever possible use text(danger) or val(danger) to display untrusted data (no escaping is required)
  • Do not use untrusted data in event handler attributes like onclick, onload, onmouseover, etc.
  • If have to use untrusted data in an unsafe sink, use escape() methods defined in esapi/DefaultEncoder.js to escape data depending on the context in which it's used
    • Context-sensitive escaping rules from here
Context Escaping
HTML Element encodeForHTML()
HTML Attribute encodeForHTMLAttribute()
JavaScript encodeForJavaScript()
HTML Style encodeForCSS()
URI Attribute encodeForURL()
  • Avoid HTML construction "by hand" and using string concatenation, use jQuery's specific setter methods (eg., attr() and val()) instead
    • DON'T
 $html =  "<span title='" + title + ">" + str + </span>;
    • DO
 $html =  $('<span>').attr('title', title).text(str);

Handling of eucatable

  • Do not put unescaped untrusted data into eucatable
    • DON'T
 "mDataProp": "size"
    • DO
 "fnRender" : function(oObj){ return DefaultEncoder().encodeForHTML(oObj.aData.description);}
  • When creating an instance of the eucatable
    • options.id MUST be a static string (eg., sgroup, keypair)
    • options.filters MUST not come from user input, for example
 filters : [{name:"snap_state", options: ['all','in-progress','completed'], text: [snap_state_selector_all, snap_state_selector_in_progress, snap_state_selector_completed], filter_col:7, alias: {'in-progress':'pending','completed':'completed'}} ]

Constructing notifications and messages to the user

  • escape any untrusted data before passing it to one of the following methods that are known to be using HTML rendering methods
Method
addNote()
showFieldError()
validateOnType()
notifyError()
notifySuccess()
notifyMulti()
  • escape any untrusted data when .i18n.prop() is used

Useful References




Clone this wiki locally