I'm happy to announce a new document we just made available: Fixing XSS: a practical guide for developers. If you're currently at the RSA conference, you should come to Coverity's booth (#1759) and either get a hardcopy or a USB stick with this document on it.
As the title suggests, this document is a guide for developers on how to handle dynamic data in various locations and common constructs in HTML. We leveraged the data we got from our research for our talk at RSA to come up with some of the most common HTML contexts and nested contexts, and improved the Coverity Security Library to have a solution for all of these cases.
Looking at the documentation available for XSS, several things strikes us:
- It's often talking about how to exploit an XSS and not how to fix this issue
- The HTML contexts information is always lacking precision and often makes the documentation complex to read (we're also guilty of this in some previous blog posts)
- The fixes are limited or too restrictive (i.e., not applicable for developers)
That's mostly why we decided to create our own document mostly for developers.
The first release of this document contains 13 common HTML constructs, and we plan on adding more to it. We also describe what HTML contexts are and why it's important to think about them when outputting dynamic data in a web page. However, we're also thinking to create a collateral that gives more complete information about HTML contexts and why it matters for XSS.
In this document, you can expect to learn what happens when you want to add dynamic data in a HTML context such as HTML snippet inside a JavaScript string such as:
- <div id="forMyContent"></div>
- <script>
- var foo = "<h1>${cov:jsStringEscape(cov:htmlEscape(content))}</h1>";
- $("#forMyContent")
- .html(foo);
- </script>
and why you need to first use an HTML escaper, then a JavaScript string escaper.
You'll also see the usage of a newly introduce function asUrl from CSL that helps writing fully dynamic URLs inside an HTML attribute such as:
- <a href="${cov:htmlEscape(cov:asURL(content))}">
- Click me
- </a>
The current document uses the Java Expression Language (EL) notation to show the dynamic data (here ${content}), but all functions are also available directly from Java when using CSL.
Whether you develop web applications, have developers, or do security review, you should read and share this document. We're also happy to receive any feedback to keep improving this document.