On 1/2/17, 12:01 AM, "omup...@gmail.com on behalf of OmPrakash Muppirala" <omup...@gmail.com on behalf of bigosma...@gmail.com> wrote:
>On Sun, Jan 1, 2017 at 11:44 PM, Alex Harui <aha...@adobe.com> wrote: > >> >> >> On 1/1/17, 11:35 PM, "omup...@gmail.com on behalf of OmPrakash >>Muppirala" >> <omup...@gmail.com on behalf of bigosma...@gmail.com> wrote: >> >> >On Sun, Jan 1, 2017 at 10:18 PM, Alex Harui <aha...@adobe.com> wrote: >> > >> >> >> >> >> >> On 1/1/17, 1:15 AM, "omup...@gmail.com on behalf of OmPrakash >> Muppirala" >> >> <omup...@gmail.com on behalf of bigosma...@gmail.com> wrote: >> >> >> >> > >> >> >Hmm, to play the devil's advocate, security should not be >> >>pay-as-you-go. >> >> >This should be opt-in by default. Someone will have to go the extra >> >>mile >> >> >to turn it off. >> >> > >> >> >This is the sort of thing that will go out in the wild and folks >>will >> >>get >> >> >affected by it soon enough. We will then need to push out an >>emergency >> >> >release to fix an XSS attack made possible by FlexJS. >> >> > >> >> >Either that or we call the default implementation >>'InsecureHTMLText' or >> >> >something like that. >> >> >> >> Well, the article you posted specifically mentions "sanitizing any >>HTML >> >> code submitted by a user." >> >> >> >> IMO, that is different from HTML code entered by a developer or >>sucked >> >>in >> >> from a database. There are other opportunities to sanitize that >> >>non-user >> >> HTML that won't have runtime performance issues. >> >> >> > >> >We don't always have control over the database from which the html >>snippet >> >is loaded from. Heck, I have access to flex.apache.org and I don't >>even >> >know if the HTML in team.json has any insecure tags/js code. Also, if >>I >> >am >> >going to load data from a third party web resource, I better sanitize >>any >> >HTML they throw at me. They might not have diligently cleaned every >>html >> >snippet. >> > >> >For example, I might create an app that shows movie showtimes, user >> >reviews >> >and let them buy tickets. The movie showtimes comes from Fandango's >>REST >> >APIs and the reviews come from RottenTomatoes' REST APIs. If >> >RottenTomatoes does not sanitize their user entered reviews and saves >>them >> >as HTML and we consume it, we will be putting our app at risk. >> > >> >This may seem like an uncommon usecase to you right now. But at work, >>I >> >have an app sec team that routinely does penetration tests against >>every >> >third party open source code we use. These sort of insecure features >>get >> >flagged and we are blocked from using that framework/library until that >> >issue has been publicly resolved. I can imagine several other >>companies >> >being so strict about security of their web apps. >> >> Which popular JS frameworks have builtin sanitization > > > > >AngularJS: https://docs.angularjs.org/api/ng/directive/ngBindHtml (By >default the HTML is loaded in a secure way, i.e. sanitization is >attempted) > >Jquery: https://api.jquery.com/jquery.parsehtml/ (By default, Jquery does >not run scripts in the parsed HTML) These look like opt-in utility functions. Am I missing something? > >React: https://facebook.github.io/react/docs/dom-elements.html (No >sanitization(yet) , but you have to explicitly use the api >called: dangerouslySetInnerHTML) > > > >> and have wrapped the >> innerHTML setter on all HTMLElements? >> > >Yes, you can do this with direct javascript. But this is exactly why >people use frameworks. i.e. a framework is supposed to protect users from >shooting themselves in their foot. > If we create opt-in utility functions, you are welcome to build them into the heavier component sets. But I would still recommend doing so at the point of input and not by wrapping the html setter on UI widgets. For example, having an HTTPServiceThatReturnsSanitizedHTML would be my strong preference. And a TextAreaForTypingInHTML class. That was my training. It should be safer, and result in better performance. I can double-check with Adobe security experts if you want me to. What do others think? -Alex
