XSS

[bentoo]

How can we add XSS (Cross Site Scripting) prevention to this library?

[gimmi]

Sorry I'm a little ignorant about the topic.

What part/feature of the library you think can be subject to XSS vulnerability?

[bentoo]

The server side is responsible for validating the request to prevent XSS.

Example library that supports validating the request:

http://wpl.codeplex.com/

Here is an example of XSS:

If a web application uses your library, an end user can submit <script>alert('hi');</script>

In ASP.NET Form submission, if you submitted <script>alert('hi')</script>, you get an Error "Possible script detected"

Using your library currently, this doesn't happen.

[bentoo]

I cannot even include the example script injection attacks into this post because Github strips possible scripts from the html submission.

This is what should be done with your library as well.

I'm working on adding that to my project which uses your library.

[gimmi]

All the messages in ExtDirectHandler are JSON encoded, and ExtDirectHandler never try to encode/decode JSON by itself but rely instead on JSON.NET library.

I suppose that the only way to "push" javascript code on the client page is to exploit a bug in JSON.NET.

PS: JSON.NET library has not been updated for a while, i can update it to the latest version if they maintained backward compatibility.

[bentoo]

I don't think simply JSON encoding the request is sufficient. You need to also scrub the request on the server side.

[bentoo]

You need to scrub the request after it has been decoded on the server side.