I have a service which appends (update service) text to an attribute. The text gets displayed later on other parts of my app. This chat service has one big problem, XSS. What is appery's recommended mitigation for this?
Q: Is there a way to prevent someone from injecting:
<script> alert('bug'); </script>
into a text field like this? I would think this is a relevant problem amongst other developers here.
Hi,
If you use this way to set label text - this text will be safe and alert won't be displayed: precodeApperyio("mobilelabelName").text("<script> alert('bug'); </script> ");/code/pre
I used Appery('').append() where I pass in a custom built DOM object (string). Could you tell me how the Apperyio().text() prevents this?
Okay, so since you claim that stopping this text problem can be stopped as early as setting the text value of a label then please explain where the hole is.
I type a message in an input, then submit it to a service to be stored:
var me = localStorage.getItem('myFirstName');
var test = Appery('messageField').val();
var id = localStorage.getItem('userId');
var convert = '{ "ID": "'+id+'", "Sender": "'+me+'", "Message": "'+test+'"}';
the JSON convert gets mapped to a column in my collections fine (unless scripts can be malicious in the db). Then to display what message I just wrote, I execute a query service to get the newly written message to the page.
Appery("chatItem").append('<li><...>'+convert.Message+'</...></li>');
Hi,
Your variable 'convert' is of string type, while you access it as an object.
First, convert it to object:prevar obj = JSON.parse(convert);/preThen use:preAppery("chatItem").append(''+obj.Message+'');/pre
I am aware of this, the second snippit of code is in another location (I assumed you would see that I converted it or else I would be getting errors...). I send convert as an object to the service, and then parse the contents to get the desired result (many fields like ID as specified).
Regardless, the string ( malicious script ) once written to in the page will fire. It looks like you put the obj.Message in quotes, which when I tried failed to prevent the script from running.
To be clear. I write to the service like this:
var me = localStorage.getItem('myFirstName');
var test = Appery('messageField').val();
var id = localStorage.getItem('userId');
var convert = '{ "ID": "'+id+'", "Sender": "'+me+'", "Message": "'+test+'"}';
Now the string is stored in the collection.
When I recall the information, I get the string and parse it. Then I write it back to the page.. I do this in two different locations and styles.
1] I pull the object (now string) and map it to the DOM using the arrow mapping. This method fails to prevent the script from executing once it gets inserted in the dom.
2] I built a custom chat panel, which involves manually writing a chat item to an itemlist using .append('<li><...>'+convert.Message+'</...></li>'). This method also fails to prevent the script from executing.
I figured out that this works nicely.
string = string.replace(/&/g, '& a m p;').replace(/< /g, '& l t ;').replace(/>/g, '& g t;').replace(/"/g, '& q u o t;');
Please let me know if this is still buggy
Where the replacement parameters don't have spaces in them. Too lazy to escape them on here
Hi Anon,
This is not a bug. You are trying to paste HTML layout and a message simultaneously. You could do change as you described above, but we'd recommend you to do this in 2 steps:
1) Paste tags, for example:
precodeAppery("chatItem").append('<li><... id="message"></...></li>');/code/pre
2) Paste text itself (safe insertion, jQuery will replace all the special symbols):precodeAppery("chatItem").find("#message").text(convert.Message);/code/pre