1

I am working on some one page apps coded in JavaScript that currently use lodash. I would like to prevent Cross Site Scripting (XSS) using a standard library by:

1) Escaping all untrusted content

2) Encoding output depending on its destination CSS, HTML, HTMLAttribute JavaScript, JSON etc

I have seen a number of stack overflow answers but they don't provide a complete canonicalization / encoding solution in a standard library that I can write static test to make sure developers are using the library.

Is there an esapi or similar "light" library that I can use just for JavaScript?

I have seen the OWASP Esapi and the jQuery Encoder Plugin https://github.com/chrisisbeef/jquery-encoder and the SalesForce Encoder https://github.com/salesforce/secure-filters

At this moment I'm only interested canonicalizing input and encoding output. I'm also looking for something current, well maintained and ideally not dependent on other libraries.

Can anyone suggest the best approach to use?

Bob Gilmore
  • 12,608
  • 13
  • 46
  • 53
MikeyB_Leeds
  • 186
  • 9

2 Answers2

0

Are any templating frameworks in use? Ideally you should use a framework like React which handles the encoding by default. Then all you would have to do, is to make sure dagerouslySetInnerHTML is not used (or used safely).

Adding untrusted CSS is considered unsafe unless whitelist validated. Adding untrusted data to tags, can be safely done by assigning the data to element.textContent or by using jQuery's $.text(). Adding untrusted data to HTML attributes that are not event handlers, can be done using element.setAttribute or $.attr(). For double contexts like inside script tags (javascript context inside html context) or javascript event handler attributes (javascript context inside html attribute context), you would have to make sure you encode for both.

For HTML content you can optionally use DOMPurify to remove any active content, but that's more valid if you need to allow untrusted HTML fragments.

Erlend
  • 4,336
  • 22
  • 25
  • Thanks for the answer. Frameworks? yes. We are in the position where we a have a number both from legacy and different 3rd parties. Not all projects use jQuery. One of the reasons I was looking for a self contained library. Thanks for DOMPurify - I'll investigate that further Do you have any thoughts on how I can use "Static Analysis" to try and make sure Developers do the right thing? – MikeyB_Leeds Jan 04 '17 at 17:23
  • 1
    For JavaScript simply encode in `\xNN` format for all non alphanumerics. This way you don't have to double encode, as you don't end up with anything that needs HTML encoding too. Be wary of any URL parameters as these could end up with `javascript:` URLs in them, whitelist `http://` and `https://` if you need to insert dynamic content here. – SilverlightFox Jan 04 '17 at 23:11
0

I have seen a number of stack overflow answers but they don't provide a complete canonicalization / encoding solution in a standard library that I can write static test to make sure developers are using the library.

The reason is that the order in which you do these things is not only specific to each application, its specific to each variable being output in each application. Any testing suite you write is going to be specific to each application, you won't be able to write a "one-size fits all" test unless all the applications in your organization use the exact same technologies, methodologies, and processes. In my experience, no company has achieved this level of unification, unless its literally a single developer.

Do you have any thoughts on how I can use "Static Analysis" to try and make sure Developers do the right thing?

Veracode, HP Fortify are two COTS examples. I know they can check several different kinds of codebases. But these require injecting them into the development cycle for them to be effective... ideally as part of a build pipeline.

avgvstvs
  • 6,196
  • 6
  • 43
  • 74