Reputation: 1397
Is CSRF possible in Aurelia if XSS attacks are mitigated?
- I have an aurelia app with .net web api.
- I communicate to the api via ajax calls.
- I authenticate using a bearer token which is stored in the browser localstorage.
I've heard that this is insecure as the token can be retrieved through an XSS attack. There is only one input on the website where a user can add comments. However I'm binding the comment value using string interpolation e.g.:
${commentText}
My understanding is that it is impossible to inject html into a binding like this.
Is there an XSS attack possible with an aurelia site if no html bindings are used? And if not, am I therefore protected by CSRF attacks if the token is inaccessible?
The only examples I've seen online, is if a user can inject html (through some form of input) into a page in a XSS attack revealing the token to the attacker. I haven't been able to replicate that with the string interpolation binding.
Upvotes: 1
Views: 526
Answers (1)
Reputation: 10887
This isn't a full answer to your question, but Aurelia does HTML escape any text that is interpolated in to a template like with ${commentText}.
The only exception to this rule is when you use the innerhtml binding like this <div innerhtml.bind=“htmlText”></div>. In that case we don't do any sanitization of the text being sent as HTML. That's up to you.
Upvotes: 1
Related Questions
- Does AntiForgeryToken in ASP.NET MVC prevent against all CSRF attacks?
- How to setup XSRF protection in angular js?
- Rails CSRF protection with Single Page Application (react, angular, ember)
- Protecting against CSRF attacks in Aurelia
- Would you count following scenario as (dangerous) CSRF?
- csrf protection
- CSRF protection with javascript?
- Is application enough secured against CSRF-attacks if I send AJAX requests with jQuery and only validate them X-Requested-With?
- dynamic xsrf with javascript
- anti-CSRF token and Javascript