[Cosmo-dev] Bug 9930: XSS vulnerability (or, h4x0r5 will steal ur passwurds!)

Travis Vachon travis at osafoundation.org
Sat Jul 14 12:28:31 PDT 2007 

+1

However, currently we solve this problem in two ways in two different  
parts of the code because we're using different styles of code to  
create the UI (for the technically interested, in the calendar we're  
using DOM and document.createText, while in the list we're using  
Node.innerHTML = "{uiHtml}" ).

This necessitates slightly different ways of guarding against XSS. In  
calendar ui, using document.createTextNode takes care of this, while  
the method I used (or, more appropriately, dojo.string.escapeXml)  
should be used in the list ui. I've checked in r5081 to use the dojo  
method for the list ui instead of the custom rolled String.replace  
stuff.

Unfortunately, these two techniques are not compatible. If you do  
document.createTextNode(dojo.string.escapeXml("<blink>foo</blink>"))  
you get "&lt;blink&gt;foo&lt;/blink&gt;"

-Travis


On Jul 13, 2007, at 9:44 PM, Brian Moseley wrote:

> On 7/13/07, Travis Vachon <travis at osafoundation.org> wrote:
>
>> Personally, I would suggest that we consider any XSS bugs we find
>> blockers for the release, since they tend to be easy to fix (see
>> r5077) but wait until later to do a thorough code review. Perhaps
>> foolishly, I volunteer to grab any that we find.
>
> they are easy to fix as one-offs, but in the long that's detrimental
> to the maintainability of the code. what we really need to do is agree
> on a policy for rendering html and executing javascript in user data
> and provide a utility that we can funnel all user data through to
> scrub it before it's rendered. i don't think that's something we need
> to mess with at this point. rather, i think we should acknowledge that
> 0.7 has xss vulnerabilities and set peoples' expectations that they
> shouldn't rely on it for data that should be secure.
> _______________________________________________
> cosmo-dev mailing list
> cosmo-dev at lists.osafoundation.org
> http://lists.osafoundation.org/mailman/listinfo/cosmo-dev

More information about the cosmo-dev mailing list