XSS Security Update

Follow

The content of this article is quite technical. If you don't understand the subject matter but are using HTML within your application, please contact our support team.

In order to enhance the level of security within the Connexys application in relation to Cross Site Scripting (XSS), measures have been taken to ensure that a text value does not contain any potential malicious attack on a user.

 

In order to prevent XSS attacks, the Connexys application has been updated to validate a value before it is outputted to the user. The value is checked for any code that may result in an XSS attack and if so, the code is removed. This code is in the form of HTML and/or Javascript.

 

To better understand this and the potential impact, the value is validated before it is displayed to the user. Should the value contain any Javascript code, the code will become invalidated. By invalidating the Javascript code, the code will not execute and a XSS attack will be prevented.

 

Should the value contain HTML code, the actual HTML code is validated. This is done by checking the various HTML tags along with their attributes. Within the validation logic in the Connexys application, there is a whitelist of allowed HTML tags and the various attributes that they support. This list is based on the has a on the safe list as defined by OWASP and their Cross Site Scripting Prevention Cheat Sheet. More information can be found here:

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md#xss-prevention-rules-summary

 

At the end of this document is a whitelist of allowable HTML tags and their supported attributes within the Connexys application.

 

When a value is being validated and it contains a HTML tag that is not listed in the table above, the HTML tag will be encoded. By encoding the HTML tag, this means that the HTML tag will not render or execute and the user will simply see plain text. This ensures that a potential XSS attack within HTML code is not executed on the user.

 

If the HTML tag that is being validated is in the list of allowable HTML tags but contains an attribute that is not allowable, the attribute will be removed from the tag. The HTML tag will still render for the user.

 

The main areas where there is a potential impact and should be checked are the following:

  • Custom Labels and their translations
  • Formula fields that contain any HTML on records
  • Long Text Area fields that contain any HTML on records (NOTE: Rich Text Area fields are safe and do not need to be checked)
  • Header and Footers for Email Templates when viewed on the Email Template page (NOTE: there is a soft validation for these and it should not impact an email that is sent out by the application)
  • Questions in a Questionnaire
  • Privacy Statements that appear on application forms

 

While this is a big change that is coming in the new release of the Connexys application, further development work is being done to provide better validation and prevention of potential XSS attacks which will come in a future release.

 

ALLOWABLE HTML TAG

ALLOWABLE ATTRIBUTES

 a

 href, target

 b

 

 br

 

 div

 id, style

 em

 

 h1

 style

 h2

 style

 h3

 style

 h4

 style

 h5

 style

 h6

 style

 hr

 size, style

 i

 

 img

 src, style

 li

 

 link

 href, type

 meta

 name, content

 ol

 

 option

 selected

 p

 

 span

 id, style

  strike

 

 strong

 

 table

 style

 tbody

 style

 td

 style

 th

 style

 thead

 style

 tr

 style

 u

 

 ul

 

 

Along with the attributes that are listed, all tags listed in the table above are able to support the following attributes:

align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width



Have more questions? Submit a request

Comments

Powered by Zendesk