Hi Everone
we are facing one issue.we have one form and in that form i have 2 textbox and user is trying to save the data with below content and it is saving data in DB.
<script>doSomethingEvil();</script>
is there any way to restrict this type of content at user side?any component is available or not?
Hi @Arkyadeep Bharadwaj
Refer to this documentation:
https://success.outsystems.com/support/security/how_the_outsystems_platform_helps_you_develop_secure_applications/protecting_outsystems_apps_from_code_injection_/_cross_site_scripting_attacks/
How to handle when user is going to enter data.if u have any sample Oml plz share witrh me.
@Arkyadeep Bharadwaj ,
why is this an issue?
I don't think storing a text string in an attribute is a problem.
Like with many things, it is what you do with it that counts.
Dorine
Our Sequrity Team Mentioned below points
During the assessment it was observed that in the “Department Name” input field, upon injecting the malicious JavaScript payloads, it gets saved on the server and executed. This can lead to unauthorized actions on the victim’s machine resulting in Stored Cross Site Scripting.
Stored Cross-Site Scripting (XSS) is prevented by encoding data before inserting it into the generated web page. Each character of the data is encoded, and the result string is then inserted onto the generated webpage. This technique of encoding values before inserting them on the web page is called "Output Encoding". Output Encoding libraries exist for most popular programming languages and frameworks. A web page has seven different output contexts, and each output context requires a different encoding scheme. Data must be encoded using the proper scheme. The seven different encoding schemes are:
• HTML Text Element
• HTML Attribute
• URL Parameter
• JavaScript Literal
• HTML Comment & CSS Property
• HTTP Header
For example, the characters: <, >, ", ' are encoded as <, >, ", ' for when those characters are inserted into an HTML Text Element. When those characters are inserted as a URL Parameter, the same characters are encoded as %3C, %3E, %22, %27.
JavaScript does not get executed on the server ;)
Here is the documentation about avoiding HTML, JavaScript, SQL code injection.
https://success.outsystems.com/documentation/best_practices/security/injection_and_cross_site_script_xss/
Ok but how to restrict this type of content at client side means at the time of Entering data.
yes agree, I shared a document from outsystems how you can mitigate that.
Still my point stands, you wrote code gets saved and executed on the server, and that is incorrect.
Not sure.i am not able to understand ur point.i have a from.when user is going to enter this type of value in textbox can we restrict ?if we are not able to restrict then we are saving the whole content in DB and serqurity team they have raised its a security issue.
as per your link how to incorporate in the textbox field in form?
Did you read the information shared to avoid JS and HTML code injection?
Did it not help you.
If you don't want the data to be stored at all you need to build in validation client side and server side that makes sure that data is not excepted.
Hi @Arkyadeep Bharadwaj , Did you find any solution on this.