Forums
| Page 1 of 1 | [ 4 posts ] |
|
Heads up everyone, if you use widgets such as autocomplete or datatable, you may be vulnerable to a stored XSS attack if you aren't specifying explicit formatters for textual data. The default formatters YUI supplies render textual data as HTML markup. In particular, if the textual data contains tags (such as script tags), those tags will be added to the page as live HTML. That may not be what you want.
Datatable supplies a formatter (formatText) which renders strings as text, escaping HTML brackets and ampersands. For autocomplete, you are going to have to copy the formatText implementation and override your autocomlete instance's formatResult method with it. As far as I know, autocomplete doesn't supply a proper formatter for textual data, nor is there a general YUI function which takes strings and outputs HTML text with entities. |
|
The same problem happens with the YUI Menu widget as well. In addition, the API documentation is misleading. In the documentation for the addItem method, it says one parameter represents a "String specifying the text of the item to be added to the menu." Actually, the string is interpreted as an HTML fragment, not text. You have to do the HTML escaping yourself.
|
|
Thanks for calling out these problems. If you haven't already, would you mind filing bugs for these and any other potential XSS vectors you find? That'll be the most reliable way to ensure they get in front of a developer immediately and that they're prioritized and fixed for the next release.
|
|
How does cross site affect the formatters?
|
| Page 1 of 1 | [ 4 posts ] |
| You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum |
-
anim backgroundColor with rgba(...)
klk 11 hours ago
-
Re: Using valuechange Event
Marco Asbreuk 14 hours ago
-
Re: Using valuechange Event
Joval b. 19 hours ago
-
Re: YUI datatable conditional dropdown editor
Nick Walsh 20 hours ago
-
Re: YUI 2 Panel demo is broken.
Matt Parker 22 hours ago
-
Re: Datatable records getting deleted but pagination still s
Matt Parker 22 hours ago
-
Re: using YUI to load html code that save in javascript vari
Kenny Huang on 05/17/13
-
using YUI to load html code that save in javascript variable
Kenny Huang on 05/17/13
Recent YUI Blog Posts
-
YUI Weekly for May 17th, 2013
Derek Gathright May 17th -
Yahoo’s International Team Is Hiring!
Jenny Donnelly May 17th -
YUICompressor 2.4.8 Released
Joey Smith May 16th -
YUI 3.10.1 Released to Fix SWF Vulnerability
Andrew Wooldridge May 14th -
YUI Weekly for May 10th, 2013
Derek Gathright May 13th -
Yahoo Hack Europe 2013
Matt Parker May 9th
Online Users
No Users Online
© 2006-2013 Yahoo! Inc. All rights reserved.
All code on this site is licensed under the BSD License unless stated otherwise.
About This Site · Security Contact Info
Powered by phpBB® Forum Software © phpBB Group