Hacker News new | past | comments | ask | show | jobs | submit login

Yep. XSS isn’t at all hard to prevent if you’re using tools that are safe by default. Unfortunately, popular ones like jQuery aren’t. (This, more than any other, is a reason to prefer the DOM API.)



I'm not sure the DOM API is safer. innerHtml vs html()


If you're assigning untrusted text to a property called `innerHTML`, you shouldn't be surprised to learn that you're vulnerable to XSS.

APIs like jQuery are worse because you end up treating strings as HTML without even realizing it. Example from the article:

  $("#tail-here").prepend(newlines);
There's no hint on that line that the `newlines` variable is interpreted as HTML instead of text.


Pfft. Straight from the documentation of the method:

  content
  Type: >>htmlString<< or Element or Array or jQuery
You could argue that the API is bad for allowing HTML strings as arguments, but it's not really surprising that a function does what it is documented to do. Especially since these are DOM manipulation, not string manipulation functions.


> You could argue that the API is bad for allowing HTML strings as arguments

That is exactly what I’m arguing, yes.

> but it's not really surprising that a function does what it is documented to do

It doesn’t have to be surprising or undocumented to be stupid.


  > You could argue that the API is bad for allowing HTML strings as arguments
  That is exactly what I’m arguing, yes.
And how native DOM helps there?


There are relatively few DOM APIs which take a trusted string. innerHTML and outerHTML are two and clearly state that they take HTML so it's no surprise for the stuff you give them to be interpreted thus. But if you use e.g. textContent or createTextNode to insert text into your document, they will correctly sanitise it.

jQuery has text()[0], but because most of its API takes strings to start with, it's very convenient to do the wrong thing and shove untrusted strings into unsafe methods.

[0] http://api.jquery.com/text/#text2


yes, API takes strings, but it calls native DOM at the end anyway, so I still don't get what's your point.


> yes, API takes strings, but it calls native DOM at the end anyway

jQuery calls unsafe API which should only be handled trusted strings but makes it easy and convenient to give them untrusted string and thus introduce exploit vectors.

Furthermore it's also significantly more difficult to audit the code, using the regular DOM there are only a pair of attributes to check, whereas pretty much any jQuery method call is a potential security hole.

tldr: jQuery makes doing things wrong very easy, much easier than doing things right.


Everything in jQuery is DOM manipulation. (Well, except for the little extra parts that aren't like $.ajax.) Tons of websites' code is primarily just jQuery calls because DOM manipulation is what makes things happen on the web.

The only native DOM API calls that can get you an XSS vulnerability are sets to `innerHTML`, `outerHTML`, and maybe some few others. Most of the methods for getting things done don't have any possibility of introducing an XSS issue. With jQuery, many methods including every method capable of inserting elements is also capable of introducing an XSS issue depending on the types passed to them. So you when you're reviewing for XSS issues, you have many more places to check, and analyzing the calls to jQuery methods to see if they have the potential for XSS is much more difficult because you have to trace the path backwards from every single call to see what types are set into the variables passed to the methods.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: