blocking cross site scripting in application

blocking cross site scripting in application

  

hi ,

 is there any global configuration in lifetime for not allowing cross site scripting in any application ?

Or else any other method while developing the application  to restrict XSS in a form ?

Solution

Hi Debasis,

Lifetime security settings are the following ones:

For XSS vulnerabilities please check the following document:

https://success.outsystems.com/Support/Enterprise_Customers/Maintenance_and_Operations/How_OutSystems_Platform_helps_you_develop_secure_applications


And in particular:

Protecting OutSystems apps from code injection / Cross Site Scripting attacks


Cross Site Scripting (XSS) occurs when there is an attempt of sending untrusted data into the web browser (renderer), there is not one way/setting to prevent this, this is something that your application must prevent all over.

Solution

ok.. then how to prevent it in the form ?

The last link Daniel pointed out shows some pretty useful tools in escaping any malicious content that is being sent. In most cases Outsystems escapes everything automatically.


Hi Debasis,

You just need to be sure that your application doesn't execute any code that is received in form attributes.


In other words, use the respective Encode:

Escape expressions in screens

Use functions EncodeHTML() or EncodeJavaScript()

Expand inline parameters in advanced queries
Use function EncodeSQL()

Manually build URLs in redirects with dynamic URLs

Use function EncodeURL()


Using un-escaped expressions without encoding distrusted variables (e.g. user input) compromises the end-user security by allowing HTML and JavaScript injection as well as cross-scripting.

You should use this function when managing un-escaped expressions. For example, suppose you want to evaluate some HTML code in your screen and you need to use MyVar on that code. You have to create an expression, with an Escape Content property of No, with the following value:

"<input type=""hidden"" name = ""SomeName"" value = """ + EncodeHTML(MyVar) + """>"