ruby on rails - Discourse.js and "cooked" strings -
i have been reviewing source code discourse.js, discussion forum written in ember/rails/postgres. i'm researching best practices in avoiding xss vulnerabilitys in these kinds of apps.
i notice discourse uses notion of "cooked" strings, partially pre-escaped strings used things bodies of posts, displays them in ember using triple mustaches ({{{}}}
).
in other cases, however, such post title, discourse sends , receives raw, unescaped strings such "this & tag", , displays them using double mustaches {{{}}
).
i have following questions this:
(1) seems discourse uses "cooking" fields in markdown supported, such post body. cooking merely way deal-with post-processed markdown fields, or intended address xss issues?
(2) not considered xss vulnerability have raw strings, including things html tags or html tags, passed server client in json? xss sniffers apparently complain such things, , people appear recommending html entity escaping and/or sanitization on server.
1) not sure discourse doing here. because markdown rendered html, needs use unescaped output. otherwise html generated markdown escaped. discourse seem have html sanitization within source code, allthough i'm not sure when applied.
2) no. json not executable format. long text treated text etc. there no issue. general idea, reason not escaping server side, mobile app using native controls display text. single page app , mobile app use same json api, escaping not necessary mobile app. additionally escaping requires context. owasp xss prevention cheat sheet defines set of contexts require different escaping. single escaping on server may wrong one.
Comments
Post a Comment