XSS?

[Kevin Ball]

Hey folks,

Working with a rendr app for the first time, and we're looking at ways to prevent XSS and scripting issues.  It seems like if the API returns content that is not safe to include in JS on a page (ie includes </script> tags) the initial bootstrapping breaks.  Does it make sense to do some sort of encode/decode in ViewEngine.prototype.getBootstrappedData and App.bootstrapData?  Or how are ya'all handling this?  We are not the only consumer of this API so even if we sanitize all of our user input we can't guarantee that all data will be sanitized on the backend.

Thanks!

-Kevin

[tomas...@happypancake.com]

I've thought about this problem too. Would be very interested in any ideas.

Thanks, Tomas

[Kevin Ball]

Hi Tomas,

We ended up implementing it within rendr, and submitting it as a pull request here: https://github.com/rendrjs/rendr/pull/382

I haven't heard a word from the rendr team either on the positive or the negative, but this fixed it for us and so far it's passed all of our testing.  Feel free to pull it over for your own use.

Regards,

Kevin

--
You received this message because you are subscribed to the Google Groups "Rendr: Isomorphic JavaScript Framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rendrjs+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Josh Callender]

A way that I've gotten around this is to use the API adapter then have the server (your api layer) to call the other sites.  This also tends to be good for security because there will normally be data parsing, caching, and private keys involved.