Forums

Posting in these forums is disabled. These forums will be available for archive purposes. Please join the new forums at the links below:

  • yui-support - replaces the `YUI 3.x` and `YUI 3 Gallery` forums.
    We have created the following discussion categories within this group to aid discoverability for these most-used topics:
    • Charts for YUI Charts support.
    • DataTable for YUI DataTable support.
    • Gallery for YUI Gallery support, including support for published Gallery components as well as the Gallery process in general.
    • Tools for support of YUI’s suite of developer tools such as selleck, shifter, grover, yogi, etc.
    • Everything Else for questions that don’t fit one of the categories above, we’ve got you covered here.
  • yui-deprecated - replaces the `YUI 2.x` forum and the forums of other deprecated products (`YUI Doc`, `Builder`, `YUI PHP Loader`, etc.).
  [ 4 posts ]
New Topic | Post Reply | Print view
Previous topic | Next topic

jkl

  • Joined: Wed Apr 01, 2009 8:43 am
  • Posts: 6
  • Offline
  • Profile
Tags:
  • autocomplete
  • datatable
  • general
  • xss

watch out for stored XSS when using default formatters

Post Posted: Fri May 21, 2010 9:52 am
+0-
Heads up everyone, if you use widgets such as autocomplete or datatable, you may be vulnerable to a stored XSS attack if you aren't specifying explicit formatters for textual data. The default formatters YUI supplies render textual data as HTML markup. In particular, if the textual data contains tags (such as script tags), those tags will be added to the page as live HTML. That may not be what you want.

Datatable supplies a formatter (formatText) which renders strings as text, escaping HTML brackets and ampersands. For autocomplete, you are going to have to copy the formatText implementation and override your autocomlete instance's formatResult method with it. As far as I know, autocomplete doesn't supply a proper formatter for textual data, nor is there a general YUI function which takes strings and outputs HTML text with entities.

jkl

  • Joined: Wed Apr 01, 2009 8:43 am
  • Posts: 6
  • Offline
  • Profile
Tags:
  • menu
  • widget
  • xss

Re: watch out for stored XSS when using default formatters

Post Posted: Fri May 21, 2010 2:43 pm
+0-
The same problem happens with the YUI Menu widget as well. In addition, the API documentation is misleading. In the documentation for the addItem method, it says one parameter represents a "String specifying the text of the item to be added to the menu." Actually, the string is interpreted as an HTML fragment, not text. You have to do the HTML escaping yourself.

Ryan Grove

YUI Developer

  • Username: rgrove
  • Joined: Tue Dec 09, 2008 9:55 pm
  • Posts: 275
  • Location: Portland, OR
  • Twitter: yaypie
  • GitHub: rgrove
  • Gists: rgrove
  • IRC: rgrove
  • YUI Developer
  • Offline
  • Profile
Tags:
  • security
  • bug
  • xss
  • ticket

Re: watch out for stored XSS when using default formatters

Post Posted: Mon May 24, 2010 8:27 am
+0-
Thanks for calling out these problems. If you haven't already, would you mind filing bugs for these and any other potential XSS vectors you find? That'll be the most reliable way to ensure they get in front of a developer immediately and that they're prioritized and fixed for the next release.

Michael Hudson

  • Username: Coachman140
  • Joined: Wed May 04, 2011 3:12 am
  • Posts: 2
  • Offline
  • Profile

Re: watch out for stored XSS when using default formatters

Post Posted: Wed May 04, 2011 3:22 am
+0-
How does cross site affect the formatters?
  [ 4 posts ]
New Topic | Post Reply | Print view
Previous topic | Next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum