correlr/roam
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
roam/daily/2021-10-22.org
Correl 9a5564f3cb updates
2021-10-26 00:56:58 -04:00

1.4 KiB
Raw Blame History

2021-10-22

Huddle to discuss XSS validation in the new-list client

  • Concerns Validation vs Sanitization
  • Sanitize on input in the frontend? (Ignore / remove invalid characters as data is being typed)

  • Warn when invalid characters are present?

    • This is preferable
  • It should be expected that the backend will return an error if/when invalid content is submitted

How does this apply to tag entry?

  • Tagging doesn't currently have an error state for invalid input that we can leverage

Action items

  • Chris V will bring tag input validation to the product meeting on Tuesday (TODO)
  • I will start a thread in the backend channel re: backend validation of unwanted characters (vs sanitizing with Bleach).

Thread posting

Posting here for feedback / discussion:

While dealing with XSS vulnerabilities, besides updating HTML rendering to properly escape data, we are taking the additional measure of disallowing unwanted characters (specifically, < and >) in our back-end input validation. I looked at the Bleach library, but that only makes sense to me in cases where we want to accept, sanitize, and store HTML content.