On 1/1/17, 11:35 PM, "omup...@gmail.com on behalf of OmPrakash Muppirala"
<omup...@gmail.com on behalf of bigosma...@gmail.com> wrote:

>On Sun, Jan 1, 2017 at 10:18 PM, Alex Harui <aha...@adobe.com> wrote:
>
>>
>>
>> On 1/1/17, 1:15 AM, "omup...@gmail.com on behalf of OmPrakash Muppirala"
>> <omup...@gmail.com on behalf of bigosma...@gmail.com> wrote:
>>
>> >
>> >Hmm, to play the devil's advocate, security should not be
>>pay-as-you-go.
>> >This should be opt-in by default.  Someone will have to go the extra
>>mile
>> >to turn it off.
>> >
>> >This is the sort of thing that will go out in the wild and folks will
>>get
>> >affected by it soon enough.  We will then need to push out an emergency
>> >release to fix an XSS attack made possible by FlexJS.
>> >
>> >Either that or we call the default implementation 'InsecureHTMLText' or
>> >something like that.
>>
>> Well, the article you posted specifically mentions "sanitizing any HTML
>> code submitted by a user."
>>
>> IMO, that is different from HTML code entered by a developer or sucked
>>in
>> from a database.  There are other opportunities to sanitize that
>>non-user
>> HTML that won't have runtime performance issues.
>>
>
>We don't always have control over the database from which the html snippet
>is loaded from.  Heck, I have access to flex.apache.org and I don't even
>know if the HTML in team.json has any insecure tags/js code.  Also, if I
>am
>going to load data from a third party web resource, I better sanitize any
>HTML they throw at me.  They might not have diligently cleaned every html
>snippet.
>
>For example, I might create an app that shows movie showtimes, user
>reviews
>and let them buy tickets.  The movie showtimes comes from Fandango's REST
>APIs and the reviews come from RottenTomatoes' REST APIs.  If
>RottenTomatoes does not sanitize their user entered reviews and saves them
>as HTML and we consume it, we will be putting our app at risk.
>
>This may seem like an uncommon usecase to you right now.  But at work, I
>have an app sec team that routinely does penetration tests against every
>third party open source code we use.  These sort of insecure features get
>flagged and we are blocked from using that framework/library until that
>issue has been publicly resolved.  I can imagine several other companies
>being so strict about security of their web apps.

Which popular JS frameworks have builtin sanitization and have wrapped the
innerHTML setter on all HTMLElements?

This is not how I was trained to handle these scenarios, but maybe things
have changed since I last went through security training.  IIRC, you are
supposed to sanitize the HTML on its return from the database/web service
or when the user submits the input, not when you pass it on to the UI
widgets.

-Alex


Reply via email to