XSS in Javascript when sending encrypted data to server
Question
What is the best way of input sanitisation in Javascript when dealing with encrypted data? Lets say Bob enters the malicius code in the form instead of the regular message, my JS enrypts it with RSA and sends to server where the message waits for Alice to retrieve it. After decryption on Alice computer the malicious code steals some important secret from LocalStorage for example.
Am I right the only way is to check if the message contains some bad code right after decryption? Maybe allow only alphanumeric charachters with some other basic ones to be allowed and when decrypted message contains anything else just stop script from running and erase the msg from memory?
1 answers
solution1
0 ACCPTED 2015-01-09 18:16:25
I think the best solution here is not to sanitize Bob's input, but sanitize it before displaying to Alice . Thus even if there is some malicious code entered by Bob, it will never get executed before displaying.
So, just do something like this:
- Bob enters malicious message and encrypts it via RSA.
- Message is sent to server
- Alice retrieves her message, decodes it and performs message sanitizing before displaying . Even simple replacement of quotes (
"and') and brackets (<and>) with appropriate HTML entities (",<etc) by JavaScript before displaying the decrypted message is enough to keep Alice safe from XSS.
Thus the code will not steal anything from Alice.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.