[epiphany/mcatanzaro/xss-gnome-40: 2/13] Add anti-XSS rules to HACKING file

From: Michael Catanzaro <mcatanzaro src gnome org>
To: commits-list gnome org
Cc:
Subject: [epiphany/mcatanzaro/xss-gnome-40: 2/13] Add anti-XSS rules to HACKING file
Date: Wed, 15 Dec 2021 20:46:46 +0000 (UTC)


commit 15bac4ddbf7305bbfb981ec1692c149ff4a74839
Author: Michael Catanzaro <mcatanzaro redhat com>
Date:   Tue Dec 14 16:42:30 2021 -0600

    Add anti-XSS rules to HACKING file
    
    Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1045>

 HACKING.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)
---
diff --git a/HACKING.md b/HACKING.md
index 7dc2ba628..5ec58737d 100644
--- a/HACKING.md
+++ b/HACKING.md
@@ -166,6 +166,19 @@ to the UI process, which is received in `EphyEmbedShell`. This should generally
 be used rather than D-Bus when you need to send a message from the web process
 to the UI process.
 
+# Security
+
+When injecting untrusted data into web content, you need to properly encode the
+data for the relevant context in order to prevent XSS vulnerabilities. For
+example: page titles could be malicious, URLs could be malicious, web app IDs
+could be malicious, etc. You must carefully read and understand the [OWASP
+XSS Prevention 
rules](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
+or you will mess up. `lib/ephy-output-encoding.h` contains functions to help
+with this.
+
+When working with JavaScript, pay particular attention to Rule #8 "Prevent DOM-
+based XSS" as it is tricky and requires care throughout your JavaScript.
+
 # Debugging
 
 To enable debugging use the configure option `-Ddeveloper_mode=true`.

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]