ruby on rails - Discourse.js and "cooked" strings -

-

i have been reviewing source code discourse.js, discussion forum written in ember/rails/postgres. i'm researching best practices in avoiding xss vulnerabilitys in these kinds of apps.

i notice discourse uses notion of "cooked" strings, partially pre-escaped strings used things bodies of posts, displays them in ember using triple mustaches ({{{}}}).

in other cases, however, such post title, discourse sends , receives raw, unescaped strings such "this & tag", , displays them using double mustaches {{{}}).

i have following questions this:

(1) seems discourse uses "cooking" fields in markdown supported, such post body. cooking merely way deal-with post-processed markdown fields, or intended address xss issues?

(2) not considered xss vulnerability have raw strings, including things html tags or html tags, passed server client in json? xss sniffers apparently complain such things, , people appear recommending html entity escaping and/or sanitization on server.

1) not sure discourse doing here. because markdown rendered html, needs use unescaped output. otherwise html generated markdown escaped. discourse seem have html sanitization within source code, allthough i'm not sure when applied.

2) no. json not executable format. long text treated text etc. there no issue. general idea, reason not escaping server side, mobile app using native controls display text. single page app , mobile app use same json api, escaping not necessary mobile app. additionally escaping requires context. owasp xss prevention cheat sheet defines set of contexts require different escaping. single escaping on server may wrong one.


Comments

Post a Comment

Popular posts from this blog

jQuery Mobile app not scrolling in Firefox -

-
i have mobile app built in jquery mobile. scrolling fine in chrome & safari, fails scroll in firefox on desktop. have other instances of same app, different features, , works across browsers. life of me, cannot figure this, please help! located here: http://re-brand.us/dsus/index.html seems bug in firefox: bug log . able scroll using keyboard not trackpad on mac. are using mac? i'll keep looking see if can find way around it.
Read more

c++ - How to add Crypto++ library to Qt project -

-
Image
i downloaded crypto++ source , compiled cryptlib project in visual studio 2013, , added generated .lib file qt project, made .pro file this: qt += core gui qt += sql greaterthan(qt_major_version, 4):qt += widgets target = untitled template = app sources += main.cpp\ mainwindow.cpp headers += mainwindow.h \ databasecontrol.h \ test.h forms += mainwindow.ui win32:config(release, debug|release): libs += -l$$pwd/ -lcryptlib else:win32:config(debug, debug|release): libs += -l$$pwd/ -lcryptlibd else:unix: libs += -l$$pwd/ -lcryptlib includepath += $$pwd/ dependpath += $$pwd/ win32-g++:config(release, debug|release): pre_targetdeps += $$pwd/libcryptlib.a else:win32-g++:config(debug, debug|release): pre_targetdeps += $$pwd/libcryptlibd.a else:win32:!win32-g++:config(release, debug|release): pre_targetdeps += $$pwd/cryptlib.lib else:win32:!win32-g++:config(debug, debug|release): pre_targetdeps += $$pwd/cryptlibd.lib else:unix: pre_targetdeps += $$pw
Read more

php array slice every 2th rule -

-
i have array on php outputs in txt file: printing grid -- 1 values -- undef = -9.99e+08 20.2 \nprinting grid -- 1 values -- undef = -9.99e+08 102.0 \nprinting grid -- 1 values -- undef = -9.99e+08 55.1 \nprinting grid -- 1 values -- undef = -9.99e+08 -18.3 \n what point, need nummeric values @ beginning of each rule. 20.2, 102.0, 55.1, -18,3 etc... example, there can more or less in txt file. now do? have tested array slice function can't exclude rule: printing grid -- 1 values -- undef = -9.99e+08 this array slice code... $arraygood = array_slice($arraybad, 1, 4); and foreach loop create text file: $file = fopen("array.txt","w"); foreach ($arraygood $meting => $waarde) { echo fwrite($file,$waarde . '\n'); } fclose($file); thanks! as posted in comments, understanding have array of strings similar following: $lines = array( "printing grid -- 1 values -- undef = -9.99e+08", "20.2 \nprinting grid --
Read more