flex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From OmPrakash Muppirala <bigosma...@gmail.com>
Subject Re: [FlexJS] How to add html content?
Date Mon, 02 Jan 2017 08:30:30 GMT
On Mon, Jan 2, 2017 at 12:15 AM, Alex Harui <aharui@adobe.com> wrote:

>
>
> On 1/2/17, 12:01 AM, "omuppi1@gmail.com on behalf of OmPrakash Muppirala"
> <omuppi1@gmail.com on behalf of bigosmallm@gmail.com> wrote:
>
> >On Sun, Jan 1, 2017 at 11:44 PM, Alex Harui <aharui@adobe.com> wrote:
> >
> >>
> >>
> >> On 1/1/17, 11:35 PM, "omuppi1@gmail.com on behalf of OmPrakash
> >>Muppirala"
> >> <omuppi1@gmail.com on behalf of bigosmallm@gmail.com> wrote:
> >>
> >> >On Sun, Jan 1, 2017 at 10:18 PM, Alex Harui <aharui@adobe.com> wrote:
> >> >
> >> >>
> >> >>
> >> >> On 1/1/17, 1:15 AM, "omuppi1@gmail.com on behalf of OmPrakash
> >> Muppirala"
> >> >> <omuppi1@gmail.com on behalf of bigosmallm@gmail.com> wrote:
> >> >>
> >> >> >
> >> >> >Hmm, to play the devil's advocate, security should not be
> >> >>pay-as-you-go.
> >> >> >This should be opt-in by default.  Someone will have to go the
extra
> >> >>mile
> >> >> >to turn it off.
> >> >> >
> >> >> >This is the sort of thing that will go out in the wild and folks
> >>will
> >> >>get
> >> >> >affected by it soon enough.  We will then need to push out an
> >>emergency
> >> >> >release to fix an XSS attack made possible by FlexJS.
> >> >> >
> >> >> >Either that or we call the default implementation
> >>'InsecureHTMLText' or
> >> >> >something like that.
> >> >>
> >> >> Well, the article you posted specifically mentions "sanitizing any
> >>HTML
> >> >> code submitted by a user."
> >> >>
> >> >> IMO, that is different from HTML code entered by a developer or
> >>sucked
> >> >>in
> >> >> from a database.  There are other opportunities to sanitize that
> >> >>non-user
> >> >> HTML that won't have runtime performance issues.
> >> >>
> >> >
> >> >We don't always have control over the database from which the html
> >>snippet
> >> >is loaded from.  Heck, I have access to flex.apache.org and I don't
> >>even
> >> >know if the HTML in team.json has any insecure tags/js code.  Also, if
> >>I
> >> >am
> >> >going to load data from a third party web resource, I better sanitize
> >>any
> >> >HTML they throw at me.  They might not have diligently cleaned every
> >>html
> >> >snippet.
> >> >
> >> >For example, I might create an app that shows movie showtimes, user
> >> >reviews
> >> >and let them buy tickets.  The movie showtimes comes from Fandango's
> >>REST
> >> >APIs and the reviews come from RottenTomatoes' REST APIs.  If
> >> >RottenTomatoes does not sanitize their user entered reviews and saves
> >>them
> >> >as HTML and we consume it, we will be putting our app at risk.
> >> >
> >> >This may seem like an uncommon usecase to you right now.  But at work,
> >>I
> >> >have an app sec team that routinely does penetration tests against
> >>every
> >> >third party open source code we use.  These sort of insecure features
> >>get
> >> >flagged and we are blocked from using that framework/library until that
> >> >issue has been publicly resolved.  I can imagine several other
> >>companies
> >> >being so strict about security of their web apps.
> >>
> >> Which popular JS frameworks have builtin sanitization
> >
> >
> >
> >
> >AngularJS: https://docs.angularjs.org/api/ng/directive/ngBindHtml (By
> >default the HTML is loaded in a secure way, i.e. sanitization is
> >attempted)
> >
> >Jquery: https://api.jquery.com/jquery.parsehtml/ (By default, Jquery does
> >not run scripts in the parsed HTML)
>
> These look like opt-in utility functions.  Am I missing something?
>

No, they are opt-out functionalities.  That is, it is on by default; you
need to actively do something to turn it off.  What is your definition for
opt-in?

In the AngularJS example, by default ng-bind-html tries to sanitize the
html.  If the sanitizer is not loaded, an exception is thrown, but the HTML
content is not rendered.

In the jquery example, by default, no scripts are run in the loaded html.
If you want to load the scripts in the loaded HTML  (i.e opt-out of
sanitizing) , you need to set a variable.



>
>
> >
> >React: https://facebook.github.io/react/docs/dom-elements.html (No
> >sanitization(yet) , but you have to explicitly use the api
> >called: dangerouslySetInnerHTML)
> >
>
> >
> >
> >> and have wrapped the
> >> innerHTML setter on all HTMLElements?
> >>
> >
> >Yes, you can do this with direct javascript.  But this is exactly why
> >people use frameworks.  i.e. a framework is supposed to protect users from
> >shooting themselves in their foot.
> >
>
> If we create opt-in utility functions, you are welcome to build them into
> the heavier component sets.


I am saying we add security features as opt-out functionality.


>   But I would still recommend doing so at the
> point of input and not by wrapping the html setter on UI widgets.  For
> example, having an HTTPServiceThatReturnsSanitizedHTML would be my strong
> preference.  And a TextAreaForTypingInHTML class.  That was my training.
> It should be safer, and result in better performance.  I can double-check
> with Adobe security experts if you want me to.
>


FlexJS already presents a hard enough barrier for anyone trying to render
HTML content directly.  My suggestion is to add a HTMLText component that
makes it easy to add such HTML to the DOM.  So, theoretically, this is the
only place where we will need to sanitize the HTML before displaying it.

In summary, I am suggesting that we sanitize html only on the the HTMLText
component (and perhaps the Label component?) and not all components.  That
would be similar to what you are suggesting.

Also, the sanitization can happen in a Util class as a static function, so
the component itself will not become heavier.

Thanks,
Om

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message