roam/daily/2021-10-22.org

32 lines
1.4 KiB
Org Mode
Raw Normal View History

2021-10-26 04:56:58 +00:00
:PROPERTIES:
:ID: 6df725cd-289d-4c22-b359-c9e4d4167468
:END:
#+title: 2021-10-22
* Huddle to discuss XSS validation in the new-list client
- Concerns [[id:05698e38-65b2-496c-b02b-1db376ae734c][Validation vs Sanitization]]
- Sanitize on input in the frontend? (Ignore / remove invalid characters as
data is being typed)
- Warn when invalid characters are present?
- This is preferable
- It should be expected that the backend will return an error if/when invalid
content is submitted
** How does this apply to tag entry?
- Tagging doesn't currently have an error state for invalid input that we can
leverage
** Action items
- Chris V will bring tag input validation to the product meeting on Tuesday ([[file:~/Nextcloud/org/aweber.org::*Follow up with Chris V on tagging input validation][TODO]])
- I will start a thread in the backend channel re: backend validation of
unwanted characters (vs sanitizing with [[https://github.com/mozilla/bleach][Bleach]]).
** Thread posting
Posting here for feedback / discussion:
While dealing with XSS vulnerabilities, besides updating HTML rendering to
properly escape data, we are taking the additional measure of disallowing
unwanted characters (specifically, =<= and =>=) in our back-end input
validation. I looked at the Bleach library, but that only makes sense to me in
cases where we want to accept, sanitize, and store HTML content.