Geek Answers Handbook

Secure JSON and HTML JavaScript Service

I mean safe ways to serve HTML and JSON for JavaScript. I'm currently just outputting JSON as:

ajax.php?type=article&id=15 
 { "name": "something", "content": "some content" }

but I understand that this is a security risk - because articles are created by users. That way, someone can insert script tags (just an example) for the content and a link to their article directly in the AJAX API. Thus, I am now wondering how best to prevent such problems. One way would be to encode all non-alphanumeric characters from the input, and then decode in JavaScript (and encode again when you type).

Another option would be to send some headers that cause the browser to never display the response of AJAX API requests ( Content-Type and X-Content-Type-Options ).

+4
source share
6 answers

If you set the Content-Type to application/json , then NO browser will execute JavaScript on this page. This is different from RFC-4627 , and Google uses this to protect itself. Other Application/ Content types follow similar rules.

You still have to worry about DOM Based XSS , however it will be a problem with your JavaScript and not with json content. Another exotic security issue with Json is information leakage, such as a vulnerability in gmail .

Be sure to check your code. There is a free xss sitewatch scanner or open source Skipfish , and finally you can check it manually with a simple <script>alert(/xss/)</script> .

+6
source

Instead of worrying about how you can encode malicious code when it is returned, you should probably make sure that it doesn't even get into your database. A quick google search on cross-site scripting prevention and input validation can help you here. Greetings

+4
source

If a user needs to log in to view a web page, secure ajax.php with the same authorization mechanism. Then a client that is not logged in cannot directly access ajax.php to retrieve the data.

+1
source

I do not think your question is to verify user input, as others have pointed out. You do not want to share your JSON api with other people ... right?

If so, you canโ€™t do much ... in fact, even if you use HTML instead of JSON, people will still make HTML scrapers to get what they want from your site (this is how search engine spiders work )

A good way to prevent curettage is to allow only a certain amount of downloads from an IP address. Thus, if someone requests http://yoursite.com/somejson.json more than 100 times a day, you probably know his scraper, and not the one who visits your page 100 times in 1 day.

0
source

Inserting script tags (or SQL) is a problem only if you cannot be sure that it is not, that it could be a problem.

Tag

A <script> in the middle of the comment someone is submitting will not damage your server, and it will not damage your database. It would be painful if you did not take the appropriate measures, it would be a page that includes a comment when you subsequently serve it, and it gets into the client browser. To prevent this from happening, your code that prepares the page must ensure that the content provided by the user is always cleared before it is exposed to an uninformed interpreter. In this case, this uninformed interpreter is a client web browser. In fact, your client web browser really includes two uninformed interpreters: an HTML parser and a linking engine and a Javascript interpreter.

Another important example of an ignorant interpreter is your database server. Note that the <script> (almost certainly) is safe for your database because "" means nothing in SQL. These are other types of input that cause problems for SQL, such as quotes in strings (which are harmless to your HTML pages!).

Stackoverflow would be pretty lame if I couldnโ€™t put the <script> tags in my answers, as I am doing now. The same goes for examples of SQL injection attacks. Recently, someone linked a page to some famous American bank, where a large <textarea> was marked with a warning not to include the characters "<" or ">" in what you typed. As expected, the bank made fun of hundreds of Reddit comments, and rightly so.

In the same way that you โ€œclearโ€ the content provided by the user depends on the ignorant interpreter to whom you deliver it. If it is deleted in the middle of the HTML markup, you must ensure that the "<", ">" and "&" characters are encoded as HTML destinations. (You might also want to use quote characters if the content might be in the attribute value of the HTML element.) If the content needs to be removed in Javascript, you may not need to worry about HTML escaping, but you need to worry about quotes and possibly Unicode characters outside the 7-bit range.

0
source

For outputting secure html from php I recommend http://htmlpurifier.org/

0
source

More articles:


All Articles