Is Qooxdoo protected from XSS

Question

Is Qooxdoo protected from XSS

I am looking for security information on Qooxdoo. I want to test my application vs OWASP top 10 Viewpoint: XSS OWASP A3 XSS

How can I be sure that Qooxdoo is protected against XSS attacks? Does Qooxdoo use some disinfectant?

solvable

Short answer from all discussions. Yes Qooxdoo is safe for XSS. By default, no javascript value in any field will be executed.

But if you use rich = true, you need to check the input / output

+4

xss qooxdoo jspresso

Benoît VALLETTE d'OSIA Jun 13 '16 at 14:20

source share

1 answer

Tobi Oetiker · Accepted Answer · 2016-06-14T10:08:33+0000

XSS , - JS- -, DOM - .

XSS, , backend (un-cleaned) html ... ( qooxdoo).

, qooxdoo html, . qx.ui.basic.Label . Label HTML , rich. rich false, , , "" html-.

( ) qooxdoo HTML- DOM. . :

qx.ui.embed.Html
qx.ui.table.cellrenderer.Html
qx.ui.progressive.renderer.table.cell.Html
qx.ui.virtual.cell.Html
qx.ui.virtual.layer.HtmlCell
qx.ui.virtual.layer.HtmlCellSpan

qx.html.* qx.bom.* qx.dom.* DOM , qooxoo , .

cookie . , cookie , .

Qooxdoo , . qooxdoo , cookie. - - "singleton" , , .

... cookie.

qx.Class.define('myapp.Server', {
    extend : qx.io.remote.Rpc,
    type : "singleton",

    construct : function() {
        this.base(arguments);
        this.set({
            timeout     : 60000,
            url         : 'QX-JSON-RPC/',
            serviceName : 'default'
        });
    },

    properties: {
        sessionCookie: {
            init: null,
            nullable: true
        }
    },

    members : {
        /**
         * override the request creation, to add our 'cookie' header
         */
        createRequest: function() {
            var req = this.base(arguments);
            var cookie = this.getSessionCookie();
            if (cookie){
                req.setRequestHeader('X-Session-Cookie',this.getSessionCookie());
            }
            return req;
        }
    }
});

myapp.uiLogin, callAsync, , , .

 /**
 * A asyncCall handler which tries to
 * login in the case of a permission exception.
 *
 * @param handler {Function} the callback function.
 * @param methodName {String} the name of the method to call.
 * @return {var} the method call reference.
 */
callAsync : function(handler, methodName) {
    var origArguments = arguments;
    var origThis = this;
    var origHandler = handler;
    var that = this;
    var superHandler = function(ret, exc, id) {
        if (exc && exc.code == 6) {
            var login = myapp.uiLogin.getInstance();

            login.addListenerOnce('login', function(e) {
                var ret = e.getData();
                that.setSessionCookie(ret.sessionCookie);
                origArguments.callee.base.apply(origThis, origArguments);
            });

            login.open();
            return;
        }

        origHandler(ret, exc, id);
    };

    if (methodName != 'login') {
        arguments[0] = superHandler;
    }

    arguments.callee.base.apply(this, arguments);
},

CallBackery, , .

Is Qooxdoo protected from XSS

More articles: