Reputation: 2909
Ember Data Model attribute sanitization/escaping to prevent XSS?
How can I perform sanitization on string attributes to prevent XSS? Right now my thoughts are to override my base model's save method and iterate over all the strings in the model and set all the string inputs to safe strings. Would this be a good way to approach this problem or is there a better way?
EDIT:
Problem occurs when saving a name attribute ( alert('xss')) for a person in the app. It saves it in a non-sanitized manner into the database. Then that name is loaded in our other site which does not sanitize the output and that's where the script injection occurs! I'd like to sanitize it before saving it to the DB
Upvotes: 1
Views: 1677
Answers (2)
Reputation: 3837
Rather than trying to sanitise the input, you really ought to change that other site to make sure it html-escapes the data it is presenting from the database. Even if you would "sanitise" things on the Ember side, can you guarantee there are no other vulnerabilities which allow someone to inject HTML in the database?
Always escaping anything being presented is really the only safe way to deal with XSS. If you're filtering input you are very likely to not catch every possible way of injecting unexpected input.
Upvotes: 1
Reputation: 6947
Handlebars automatically sanitizes strings. If you want to avoid this, you must explicitly use the triple-brace syntax:
{{{myHtmlString}}}
Upvotes: 1
Related Questions
- Escape keyword in the handlebar template
- data-value attribute in emberjs
- Escaping CSS string with ember JS not working
- Ember: SafeString and htmlSafe not removing "Binding style attributes" deprecation warning
- Handlerbars on escaping input?
- SafeStrings when using Ember's bindAttr?
- Ember Data attributes not being camelized
- How to escape characters in Handlebars
- How to deal with tags in an ember.js model
- How to sanitize an attribute value in rails