flex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From OmPrakash Muppirala <bigosma...@gmail.com>
Subject Re: [FlexJS] How to add html content?
Date Mon, 02 Jan 2017 17:38:24 GMT
On Jan 2, 2017 9:06 AM, "Alex Harui" <aharui@adobe.com> wrote:



On 1/2/17, 12:30 AM, "omuppi1@gmail.com on behalf of OmPrakash Muppirala"
<omuppi1@gmail.com on behalf of bigosmallm@gmail.com> wrote:

>On Mon, Jan 2, 2017 at 12:15 AM, Alex Harui <aharui@adobe.com> wrote:
>
>>
>>
>> On 1/2/17, 12:01 AM, "omuppi1@gmail.com on behalf of OmPrakash
>>Muppirala"
>> <omuppi1@gmail.com on behalf of bigosmallm@gmail.com> wrote:
>>
>> >
>> >AngularJS: https://docs.angularjs.org/api/ng/directive/ngBindHtml (By
>> >default the HTML is loaded in a secure way, i.e. sanitization is
>> >attempted)
>> >
>> >Jquery: https://api.jquery.com/jquery.parsehtml/ (By default, Jquery
>>does
>> >not run scripts in the parsed HTML)
>>
>> These look like opt-in utility functions.  Am I missing something?
>>
>
>No, they are opt-out functionalities.  That is, it is on by default; you
>need to actively do something to turn it off.  What is your definition for
>opt-in?

Are you saying that Angular and Jquery have ways of preventing you from
writing to innerHTML directly?  Otherwise it is opt-in.  You must use the
APIs they offer.


No, you cant do that unless you can change the way html/javascript works.

If you use their framework APIs, security us opt-out by default.



>
>In the AngularJS example, by default ng-bind-html tries to sanitize the
>html.  If the sanitizer is not loaded, an exception is thrown, but the
>HTML
>content is not rendered.
>
>In the jquery example, by default, no scripts are run in the loaded html.
>If you want to load the scripts in the loaded HTML  (i.e opt-out of
>sanitizing) , you need to set a variable.
>


>>
>> If we create opt-in utility functions, you are welcome to build them
>>into
>> the heavier component sets.
>
>
>I am saying we add security features as opt-out functionality.

That's fine for the heavier component sets as a composition of Basic/HTML
components and utility functions.  We should really start building such a
heavier set.  However, IMO, there are going to be plenty of apps that work
in a trusted environment and shouldn't have to pay the price of runtime
sanitization.

>
>
>>   But I would still recommend doing so at the
>> point of input and not by wrapping the html setter on UI widgets.  For
>> example, having an HTTPServiceThatReturnsSanitizedHTML would be my
>>strong
>> preference.  And a TextAreaForTypingInHTML class.  That was my training.
>> It should be safer, and result in better performance.  I can
>>double-check
>> with Adobe security experts if you want me to.
>>
>
>
>FlexJS already presents a hard enough barrier for anyone trying to render
>HTML content directly.  My suggestion is to add a HTMLText component that
>makes it easy to add such HTML to the DOM.  So, theoretically, this is the
>only place where we will need to sanitize the HTML before displaying it.

I guess we might want to stop and agree on goals.  Is the goal to be able
to advertise FlexJS as the framework that, if you use it, you'll never be
subjected to security issue?  That's a pretty serious undertaking and
hopefully not something we need to do for 1.0. I think there would be many
more things than an HTMLText component needed.


The goal for me is to implement basic security features in FlexJS.  I dont
want to adhere to an ideology blindly.  There are going to be execeptions
to the pay as you go philosophy and basic security is one of them.



Or is the goal to be able to make your app easier to analyze by some of
these penetration testing tools?



And then what?  This insecure, unsanitized html capabilities will be one of
the first things caught by any decent pen-test tools.


Whatever the goal, it doesn't seem right to me to try to sanitize in
HTMLText or Label.  IIRC, my training is to check people at the door and
trust them after instead of having everyone check every person they talk
to before they talk to them.  Once the bad person/data is in the door, it
is too late.


Lets agree to to diaagree here.  Let me add the code and then we can
review/discuss at that point.


Can you bug your security team and see if they think an HTMLText widget is
the right place, or have you already checked with them?


No, I have not.  But from my discussions with them in the past, this is a
vector for XSS attacks and they would be interested in having basic
protection by default.  Other frameworks do this because they got dinged in
the past.




>
>In summary, I am suggesting that we sanitize html only on the the HTMLText
>component (and perhaps the Label component?) and not all components.  That
>would be similar to what you are suggesting.
>
>Also, the sanitization can happen in a Util class as a static function, so
>the component itself will not become heavier.

Again, as long as it is PAYG and Composition-based, it is fine to start
out with not trusting in the heavier sets.   We don't want folks who work
in trusted environments to complain that FlexJS is too slow because they
are constantly updating some HTML in a label and it runs a scan on the
string on every update.


That is the exact reason I am suggesting we add an option to turn off
sanitizing in an trusted environment.  That is what angularjs does.  The
mechanism is detailed in the earlier link I sent.

Thanks,
Om



My 2 cents.  I'd love to hear what others think.
-Alex

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message