[epiphany/mcatanzaro/#1612: 2/13] Add anti-XSS rules to HACKING file
- From: Marge Bot <marge-bot src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [epiphany/mcatanzaro/#1612: 2/13] Add anti-XSS rules to HACKING file
- Date: Wed, 15 Dec 2021 19:30:58 +0000 (UTC)
commit ace17c8b29b40aa3fba1643907befcd33cacff31
Author: Michael Catanzaro <mcatanzaro redhat com>
Date: Tue Dec 14 16:42:30 2021 -0600
Add anti-XSS rules to HACKING file
Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1045>
HACKING.md | 13 +++++++++++++
1 file changed, 13 insertions(+)
---
diff --git a/HACKING.md b/HACKING.md
index 545d7c960..8a050769f 100644
--- a/HACKING.md
+++ b/HACKING.md
@@ -167,6 +167,19 @@ more `WebKitWebExtension`s (web process extensions). Meanwhile, each
`WebKitWebView` will have one or more `WebKitWebPage`s. Only one page will be
active in a view at a given time: the other pages are for process swaps.
+# Security
+
+When injecting untrusted data into web content, you need to properly encode the
+data for the relevant context in order to prevent XSS vulnerabilities. For
+example: page titles could be malicious, URLs could be malicious, web app IDs
+could be malicious, etc. You must carefully read and understand the [OWASP
+XSS Prevention
rules](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
+or you will mess up. `lib/ephy-output-encoding.h` contains functions to help
+with this.
+
+When working with JavaScript, pay particular attention to Rule #8 "Prevent DOM-
+based XSS" as it is tricky and requires care throughout your JavaScript.
+
# Debugging
To enable debugging use the configure option `-Ddeveloper_mode=true`.
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]