Upload File

philosophy · philosophy - allow all input - encode all output do not filter or encode input that...

  • Home
  • Documents
  • Philosophy · Philosophy - Allow all input - Encode all output Do not filter or encode input that gets stored but always protect the user on output. - Encode at the very end Encode
3
© 2016 Adobe Systems, Incorporated. Adobe Confidential. CQ/GRANITE ENGINEERING XSS Cheat Sheet Philosophy - Allow all input - Encode all output Do not filter or encode input that gets stored but always protect the user on output. - Encode at the very end Encode the output-statement itself not intermediate values, so it is always obvious that an output statement is not dangerous, and you know you are encoding for the right context. - Don’t think too much Encode the content no matter where it is coming from. Your code might be copied or included, and the ACLs on the property might change. - Never do it yourself Never write the encoding/filtering methods yourself. XSS encoding is very difficult and error prone. If something is missing in the library, please file a bug. - Prefer a validator to an encoder Some situations, such as href and src attributes, MUST use a validator HTL automatically filters and escapes all variables being output to the presentation layer to prevent cross-site-scripting (XSS) vulnerabilities. https://docs.adobe.com/docs/en/htl/docs/expression-language.html#Display%20Context

Upload: others

Post on 30-Jan-2021

8 views

Category:

Documents


0 download

Report

TRANSCRIPT

  • © 2016 Adobe Systems, Incorporated. Adobe Confidential.

    CQ/GRANITE ENGINEERINGXSS Cheat Sheet

    Philosophy- Allow all input - Encode all output Do not filter or encode input that gets stored but always protect the user on output.

    - Encode at the very end Encode the output-statement itself not intermediate values, so it is always obvious that an output

    statement is not dangerous, and you know you are encoding for the right context.

    - Don’t think too much Encode the content no matter where it is coming from. Your code might be copied or included, and the

    ACLs on the property might change.

    - Never do it yourself Never write the encoding/filtering methods yourself. XSS encoding is very difficult and error prone. If

    something is missing in the library, please file a bug.

    - Prefer a validator to an encoder Some situations, such as href and src attributes, MUST use a validator

    HTL automatically filters and escapes all variables being output to the presentation layer to prevent cross-site-scripting (XSS) vulnerabilities.

    https://docs.adobe.com/docs/en/htl/docs/expression-language.html#Display%20Context

  • How to get the XSSAPI Service?

    import org.apache.sling.xss.XSSAPI; public class MyClass { private void myFunction(ResourceResolver resourceResolver) { XSSAPI xssAPI = resourceResolver.adaptTo(XSSAPI.Class); } }

    Java component

    Java

    JSP

    import org.apache.sling.xss.XSSAPI;@Referenceprivate XSSAPI xssAPI;

    // Filter a string using the AntiSamy library to allow certain tagspublic String filterHTML(String source);

    // Use one of these to get an XSSAPI suitable for validating URLspublic XSSAPI getRequestSpecificAPI(SlingHttpServletRequest request); public XSSAPI getResourceResolverSpecificAPI(ResourceResolver resolver);

    Filters

    JCR based URL mapping

    // Encode string to use inside an HTML tagpublic String encodeForHTML(String source); // Encode string to use inside an HTML attributepublic String encodeForHTMLAttr(String source); // Encode string to use inside an XML tagpublic String encodeForXML(String source); // Encode string to use inside an XML attributepublic String encodeForXMLAttr(String source); // Encode string to use as a JavaScript stringpublic String encodeForJSString(String source);

    // Encode string to use as a CSS stringpublic String encodeForCSSString(String source);

    Encoders (excerpt)

    // Get a valid dimension (e.g. an image width parameter)public String getValidDimension(String dimension, String defaultValue); // Get a valid URL (Needs request-/resourceresolver specific API, see below)public String getValidHref(String url); // Get a valid integer from a stringpublic Integer getValidInteger(String integer, int defaultValue); // Get a valid long from a stringpublic Long getValidLong(String long, long defaultValue); // Validate a Javascript token. // The value must be either a single identifier, a literal number, or a literal string.public String getValidJSToken(String token, String defaultValue);

    Validators (excerpt)

    XSSAPI: Methods

    © 2016 Adobe Systems, Incorporated. Adobe Confidential.

    Filters potentially user-contributed HTML to meet the AntiSamy policy rules currently in effect for HTML output (see the XSSFilter service for details).

    TaglibTaglib

  • HTLHTL

    © 2016 Adobe Systems, Incorporated. Adobe Confidential.

    HTL automatically filters and escapes all variables being output to the presentation layer to prevent cross-site-scripting (XSS) vulnerabilities, by detecting the correct escaping context depending on the current HTML node and / or attribute.

    For more details check the available display contexts from :https://github.com/Adobe-Marketing-Cloud/sightly-spec/blob/master/SPECIFICATION.md#121-display-context.

    Exceptions

    1. Output generated in and tags require an explicit context, since by default HTL will not add one and will instead output emptystrings.2. The style and the HTML Event attributes [1] also require an explicit context.

    [1] - https://www.w3.org/TR/html5/webappapis.html#event-handlers-on-elements,-document-objects,-and-window-objects

    ExamplesExample API usages for the most common contexts

    click me alert(‘’);

    Some exploit strings for testing

    HTML attributes

    Node namest

    JSON Attributes

    HTML tags

    “>alert(23);

    “>

    alert(23);

    See also: OWASP XSS Filter Evasion Cheat Sheet

    “};alert(23);a={“a”:


php url encode

Proposal to encode four historic Latin letters for Sakha ... · PDF fileProposal to encode four historic Latin letters for Sakha ... Proposal to encode four historic Latin letters

ENCODE and Epigenomics Roadmap Workshop...Introduction, Overview of ENCODE and Roadmap Epigenomics data Author: J. Michael Cherry and Eurie L. Hong Subject: ENCODE/Roadmap Epigenomics

Perspectives on ENCODE10.1038... · Supplementary Information Perspectives on ENCODE ENCODE Perspective authors The ENCODE Project Consortium#, 4Michael P. Snyder1,2, Thomas R. Gingeras3,

ENCODE ANALYSIS PIPELINES - Genome.gov · Workshop Goals J. Seth Strattan, PhD ENCODE DCC 3 • Introduce the ENCODE Analysis Pipelines. • Run the transcription factor ChIP-seq

Anatomia tipográfica - Encode sans

Scientists Encode First Women Genome

Encode Engage

Philosophy · XSS Cheat Sheet Philosophy - Allow all input - Encode all output Do not filter or encode input that gets stored but always protect the user on output. - Encode at the

Carlyn Cpa Encode

ENCODE Ensembl Workbook - genome.gov

Decoding ENCODE

ENCODE ANALYSIS PIPELINES - Genome · Workshop Goals J. Seth Strattan, PhD ENCODE DCC 3 • Introduce the ENCODE Analysis Pipelines. • Run the transcription factor ChIP-seq pipeline

ENCODE Pseudogene Call Summary

Encode variation analysis. Analysis goals Quantify genetic variation in ENCODE regions Detect selective constraint in ENCODE features Develop rules for

Huong Dan Encode Bang Xvid4psp

Proposal to Encode the Khojki Script in ISO/IEC 10646ismaili.net/heritage/files/khojki-unicode.pdf · Proposal to Encode the Khojki Script in ISO ... Proposal to Encode the Khojki

Contents Donations Table of contents Introductionoutwardtruth.com/pdf/AutoGK_tool for XviD _ DivX conversion.pdf · If you want to encode multiple input files into one resulting AVI

Interestingness, Attention, Curiosity, Creativity, Art, …people.idsia.ch/~juergen/driven2009.pdfto encode the lifelong sensory input stream with a rate of roughly 105 bits/s, comparable

Encode RNA Dashboard

how to encode

3.0 kV RMS/3.75 kV RMS Quad Digital Isolators.../ADuM140E Functional Block Diagram DECODE ENCODE ENCODE DECODE ENCODE DECODE ENCODE DECODE V DD1 GND 1 V IA V IB V IC V OD DISABLE 1

ENCODE enhancers

Cookbook Encode

Encode Drogas 2014

Quick Encode Installation Guide

The ENCODE Project

encode project

Decode ENCODE

Using ENCODE Data To Interpret Disease-associated ...Using ENCODE Data To Interpret Disease-associated Gene8c Variaon Mike Pazin Naonal Human Genome Research Ins8tute, NIH ENCODE Users

ENCODE ANALYSIS PIPELINES - National Human … Goals J. Seth Strattan, PhD ENCODE DCC 3 • Introduce the ENCODE Analysis Pipelines. • Run the transcription factor ChIP-seq pipeline

Encode Sequence

Should We Encode Rain Streaks in Video as Deterministic or ...openaccess.thecvf.com/content_ICCV_2017/...Encode...Should We Encode Rain Streaks in Video as Deterministic or Stochastic?

Large scale computational motif finding · ENCODE project: GENCODE consensus human gene set GENCODE [ENCODE] Transcription Tom Gingeras/ENCODE Structural Biology EU Biosapiens Nomenclature

3. NEURAL NETWORK MODELS 3.1 Early Approaches · The activity states of all input channels thus encode the input information as ... denotes the excitation of the neuron and >0 is