maya-chen/flask
1
0
Fork 0
forked from orbit-oss/flask
Code Pull requests Activity

Merge pull request #2364 from davidism/xss-note

Browse source 
mention csp for javascript: uri xss
This commit is contained in:
David Lord 2017-06-06 09:22:49 -07:00 committed by GitHub
commit 9d82993422
1 changed files with 17 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

21
docs/security.rst
View file

@ -38,7 +38,7 @@ either double or single quotes when using Jinja expressions in them:
.. sourcecode:: html+jinja .. sourcecode:: html+jinja
<a href="{{ href }}">the text</a> <input value="{{ value }}">
Why is this necessary? Because if you would not be doing that, an Why is this necessary? Because if you would not be doing that, an
attacker could easily inject custom JavaScript handlers. For example an attacker could easily inject custom JavaScript handlers. For example an
@ -46,15 +46,26 @@ attacker could inject this piece of HTML+JavaScript:
.. sourcecode:: html .. sourcecode:: html
onmouseover=alert(document.cookie) onmouseover=alert(document.cookie)
When the user would then move with the mouse over the link, the cookie When the user would then move with the mouse over the input, the cookie
would be presented to the user in an alert window. But instead of showing would be presented to the user in an alert window. But instead of showing
the cookie to the user, a good attacker might also execute any other the cookie to the user, a good attacker might also execute any other
JavaScript code. In combination with CSS injections the attacker might JavaScript code. In combination with CSS injections the attacker might
even make the element fill out the entire page so that the user would even make the element fill out the entire page so that the user would
just have to have the mouse anywhere on the page to trigger the attack. just have to have the mouse anywhere on the page to trigger the attack.
There is one class of XSS issues that Jinja's escaping does not protect
against. The ``a`` tag's ``href`` attribute can contain a `javascript:` URI,
which the browser will execute when clicked if not secured properly.
.. sourcecode:: html
<a href="{{ value }}">click here</a>
<a href="javascript:alert('unsafe');">click here</a>
To prevent this, you'll need to set the :ref:`security-csp` response header.
Cross-Site Request Forgery (CSRF) Cross-Site Request Forgery (CSRF)
--------------------------------- ---------------------------------
@ -125,6 +136,8 @@ man-in-the-middle (MITM) attacks. ::
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
.. _security-csp:
Content Security Policy (CSP) Content Security Policy (CSP)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -132,7 +145,7 @@ Tell the browser where it can load various types of resource from. This header
should be used whenever possible, but requires some work to define the correct should be used whenever possible, but requires some work to define the correct
policy for your site. A very strict policy would be:: policy for your site. A very strict policy would be::
response.headers['Content-Security-Policy'] = "default-src: 'self'" response.headers['Content-Security-Policy'] = "default-src 'self'"
- https://csp.withgoogle.com/docs/index.html - https://csp.withgoogle.com/docs/index.html
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy