Monday, June 28, 2010

Soliciting approaches for GWT and XSS-prevention

Hey guys,

Most security papers I've read on the topic of XSS prevention suggest
escaping untrusted strings in a context-sensitive way in server side
templating languages. However I sense that it's different with GWT
(and any other JS applications) in that received data from a data
source can be used in so many different ways before, during, and after
it is inserted in the page. This is particularly true when your GWT
application is simply hitting a data source for JSON or XML.

For this reason, it seems like best practice would be to escape in
your JS/GWT app immediately before writing untrusted data into a
particular context (javascript, attribute, etc). But at the same time,
I don't like the idea of possibly dangerous strings buzzing around in
the browser memory of my clients, waiting for me to forget escaping a
string before writing it to the DOM.

What effective approaches have you taken with your GWT and JS
applications to protect against XSS?

Thankee kindly!

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.

No comments:

Post a Comment