3 defenses:
1 and 2: Add anti XSS functions to dwr.util and org.directwebremoting.Security, so both the server and the client have some filtering that will at least do something basic and simple.
From my limited understanding you can get scripts through these filters.
3. I think we should probably make setValue and other functions default to plain text rather than HTML so we are "secure" by default, and that the documentation that describes how to put your shields down/enable HTML, can also explain XSS. However this is quite a breaking change.
the useHtml was me starting to try things out and forgetting to take them out.
I've love your input.
Joe.
On 11/18/06, Mike Wilson <
mikewse@...> wrote:
Hi
Joe,
I saw that you've
been adding some "XSS" protection functions to util.js, and thought I'd check
your plan here. What do you think our ambition should be? This is a biiiig
subject...
I've been thinking
to check if there are any other libraries doing these security checks, cleaning
HTML etc, but maybe you already know what there is to find? Just converting HTML
to harmless text is easy, but cleaning possibly "script-infected" HTML for
"rich-text" display seems like a can of worms...
BTW: I didn't find
any mention in todo.txt (as indicated by the
TODO tags?) about these new "XSS" functions.
Best regards
Mike
