32 lines
1.4 KiB
Org Mode
32 lines
1.4 KiB
Org Mode
|
:PROPERTIES:
|
||
|
|
:ID: 6df725cd-289d-4c22-b359-c9e4d4167468
|
||
|
|
:END:
|
||
|
|
#+title: 2021-10-22
|
||
|
|
|
||
|
|
* Huddle to discuss XSS validation in the new-list client
|
||
|
|
- Concerns [[id:05698e38-65b2-496c-b02b-1db376ae734c][Validation vs Sanitization]]
|
||
|
|
- Sanitize on input in the frontend? (Ignore / remove invalid characters as
|
||
|
|
data is being typed)
|
||
|
|
- Warn when invalid characters are present?
|
||
|
|
- This is preferable
|
||
|
|
- It should be expected that the backend will return an error if/when invalid
|
||
|
|
content is submitted
|
||
|
|
|
||
|
|
** How does this apply to tag entry?
|
||
|
|
- Tagging doesn't currently have an error state for invalid input that we can
|
||
|
|
leverage
|
||
|
|
|
||
|
|
** Action items
|
||
|
|
- Chris V will bring tag input validation to the product meeting on Tuesday ([[file:~/Nextcloud/org/aweber.org::*Follow up with Chris V on tagging input validation][TODO]])
|
||
|
|
- I will start a thread in the backend channel re: backend validation of
|
||
|
|
unwanted characters (vs sanitizing with [[https://github.com/mozilla/bleach][Bleach]]).
|
||
|
|
|
||
|
|
** Thread posting
|
||
|
|
Posting here for feedback / discussion:
|
||
|
|
|
||
|
|
While dealing with XSS vulnerabilities, besides updating HTML rendering to
|
||
|
|
properly escape data, we are taking the additional measure of disallowing
|
||
|
|
unwanted characters (specifically, =<= and =>=) in our back-end input
|
||
|
|
validation. I looked at the Bleach library, but that only makes sense to me in
|
||
|
|
cases where we want to accept, sanitize, and store HTML content.
|