security - Is it safe to employ output encoding against XSS on the client-side? -
a mutual technique prevent xss attacks encode untrusted info before displaying on html page. within page there different contexts can appear in, every 1 requires different encoding.
encoding responses on server-side doesn't create sense because @ layer don't know in html page info appear.
so convenient , more reasonable encode on client-side. question if it's safe. on first impression sounds unsafe because attacker can modify client-code (say javascript). when think it, modified code available attacker's browser. other visitors of web site won't affected changes.
is still safe or missing something?
in theory, encoding client-side no more unsafe encoding server-side. key making secure in how rigourous in putting suitable encoding in places renders data. can create implementation rendering user submitted info safely on client , server sides. practically though, drawback of implementing output encoding client side potential attacker can examine source code flaws. means if there bugs in client-side encoding implementation, easier find on server-side (assuming closed source system). if developing open source software, point moot.
also said, attacker modifying client-side encoding code non-issue modifying own re-create of code , not impact other visitors.
imo cleaner allow client handle encoding if developing api shared web , native mobile applications. don't want mobile application have convert html encoded values it's original form.
security xss code-injection cross-site
No comments:
Post a Comment