Security implications of using rich labels

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Security implications of using rich labels

dmbaggett-2

Are there potential security issues with rich labels whose content is
user-generated? E.g., what if you set the text of a rich label to a <script>
tag with code in it? In general, are rich labels vulnerable to cross-site
scripting attacks?

Dave

--
View this message in context: http://www.nabble.com/Security-implications-of-using-rich-labels-tp25777925p25777925.html
Sent from the qooxdoo-devel mailing list archive at Nabble.com.


------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
qooxdoo-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
Reply | Threaded
Open this post in threaded view
|

Re: Security implications of using rich labels

Noggin182
Just a quick question, by user genererated do you mean the user enters
some text that is stored in a database and possibly shown to other users?

dmbaggett wrote:
> Are there potential security issues with rich labels whose content is
> user-generated? E.g., what if you set the text of a rich label to a <script>
> tag with code in it? In general, are rich labels vulnerable to cross-site
> scripting attacks?
>
> Dave
>


------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
qooxdoo-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
Reply | Threaded
Open this post in threaded view
|

Re: Security implications of using rich labels

Fabian Jakobs
Administrator
In reply to this post by dmbaggett-2
Hi Dave,
> Are there potential security issues with rich labels whose content is
> user-generated? E.g., what if you set the text of a rich label to a <script>
> tag with code in it? In general, are rich labels vulnerable to cross-site
> scripting attacks?
>
> Dave
>  
Yes they are. The value of a rich label is simply set using innerHTML.
You should always sanitize the HTML generated by a user or use a non
rich label.

Best Fabian


--
Fabian Jakobs
JavaScript Framework Developer

1&1 Internet AG - Web Technologies
Ernst-Frey-Straße 9 · DE-76135 Karlsruhe
Telefon: +49 721 91374-6784
[hidden email]

Amtsgericht Montabaur / HRB 6484
Vorstände: Henning Ahlert, Ralph Dommermuth, Matthias Ehrlich, Thomas Gottschlich, Robert Hoffmann, Markus Huhn, Hans-Henning Kettler, Dr. Oliver Mauss, Jan Oetjen
Aufsichtsratsvorsitzender: Michael Scheeren


------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
qooxdoo-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
Reply | Threaded
Open this post in threaded view
|

Re: Security implications of using rich labels

dmbaggett-2
In reply to this post by Noggin182

Yes, I mean that the label contents are set by some external entity -- a
user, a robot, a piece of malware, etc. :)

Dave


Matthew Gregory wrote:

>
> Just a quick question, by user genererated do you mean the user enters
> some text that is stored in a database and possibly shown to other users?
>
> dmbaggett wrote:
>> Are there potential security issues with rich labels whose content is
>> user-generated? E.g., what if you set the text of a rich label to a
>> <script>
>> tag with code in it? In general, are rich labels vulnerable to cross-site
>> scripting attacks?
>>
>> Dave
>>
>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry(R) Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9 - 12, 2009. Register now!
> http://p.sf.net/sfu/devconference
> _______________________________________________
> qooxdoo-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
>
>

--
View this message in context: http://www.nabble.com/Security-implications-of-using-rich-labels-tp25777925p25787331.html
Sent from the qooxdoo-devel mailing list archive at Nabble.com.


------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
qooxdoo-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel