The risk of javascript attacks using firebase

Question

The risk of javascript attacks using firebase

I am trying to understand / anticipate the security considerations associated with using firebase as a backend.

The docs cover user authentication and input validation, but I cannot find any discussion of the risk associated with malicious users trying to insert javascript into the database.

Is it possible that javascript can be included in an input field that is stored in the database, which can then be executed later when this code is extracted and displayed elsewhere?

Or maybe the bomb data is dropped or sanitized anyway?

+6

javascript security firebase

Andrew Staroscik Mar 28 '16 at 1:12

source share

3 answers

Frank van puffelen · Answer 1 · 2016-03-28T04:21:31+0000

Any database (or other storage system) can be used to store malicious code, because it is inherent in their function: they simply store data.

Firebase SDKs and supported libraries (such as AngularFire, EmberFire, and ReactFire) ensure that they will never insert database information into HTML pages without saving. Although it is always possible that we (I work in Firebase) missed something, I don’t remember ever being reported.

user6101582 · Answer 2 · 2016-03-28T01:51:15+0000

You should properly avoid entering all users by placing them on a web page regardless of the backend.

Björn hjorth · Answer 3 · 2016-12-24T13:27:05+0000

Firebase offers data validation, where you can check to enter javascript fragments into your database.

https://firebase.google.com/docs/database/security/securing-data#validating_data

And you should always sanitize your result, this is not related to Firebase, but a good rule of thumb.

The risk of javascript attacks using firebase

More articles: