If I need to prove (to the best of my ability) that my app is protected
against XSS with regards to innerHTML / innerText, how am I supposed to
do this?
There are three possible protectors (normally):
a. The browser. The browsers will not able to do this automatically,
even with proposed standards.
b. The framework.
c. The application code.
With Label, for example, currently only htmlText = S will use
innerHTML. But there could be a multitude of other APIs that eventually
cause framework code to set innerHTML. It seems a monumental effort for
the developer to grep for all possible API calls that might somehow end
up doing an innerHTML = X in the framework, perhaps after layers and
layers of calls. (And the developer may not be familiar with the app
code, either.)
That leaves the framework. Seems pretty easy to grep for all uses of
innerHTML / innerText to validate it.
(And application code that uses innerHTML / innerText directly can be
validated like that, too, of course.)
Browsers are going to have HTML Sanitizer API some day:
https://developer.mozilla.org/en-US/docs/Web/API/HTML_Sanitizer_API
How is the application code suppose to even use this, if the framework
doesn't have a hook? You really want to force apps to do
sanitizeFor(...).innerHTML? That will cause double-parsing (since the
framework eventually does innerHTML = X on that value) and potential
side-effects if the two parses don't match due to context.
As for use cases, if something like Label or UITextField or such is used
in a List, and dataProvider comes from remote data, I would think it's
pretty easy to get into trouble if someone where to use htmlText = S for
display. But that's just theoretical.
I'm actually not very familiar with how often the htmlText property is
used in the libraries. I see that MX LegendItem seems to use it, but
maybe that's an outlier.
But htmlText is not the only place where innerHTML / innerText might be
used, so I don't want to focus just on that. You don't know what Royale
contributors might use innerHTML / innerText for in the future, but you
could insist that they always call the sanitizer hook.
On 12/10/2021 4:27 AM, Harbs wrote:
> Sanitizing what? And why?
>
> What is the use case which is “dangerous”?
>
>> On Dec 10, 2021, at 11:49 AM, Edward Stangler wrote:
>>
>>
>> My mistake.
>>
>> Definitely should be sanitizing. If you want PAYG, then make it default
>> (some global function) and something that can be overridden by those who
>> want to live dangerously.
