From nathaliecoupet@yahoo.com Wed Jun 8 21:39:55 2016 From: nathalie coupet To: gnso-rds-pdp-wg@icann.org Subject: [gnso-rds-pdp-wg] Additional JSON Flaws Date: Wed, 08 Jun 2016 21:39:32 +0000 Message-ID: <1777124813.667701.1465421973064.JavaMail.yahoo@mail.yahoo.com> In-Reply-To: <1777124813.667701.1465421973064.JavaMail.yahoo.ref@mail.yahoo.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6966846031281722995==" --===============6966846031281722995== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Thefollowing is a JavaScript security flaw:"; Thebrowser ignores the fact = that the If youhave the line above anywher= e in your code, and=C2=A0@users=C2=A0includes some usersubmitted data, your a= pplication is vulnerable to a XSS attack.[SM-D01-R01] Ifyou=E2=80=99re using = Rails, thwart this vulnerability by settingActiveSupport.escape_html_entities= _in_json=C2=A0to=C2=A0true. The default isfalse.=C2=A0A JavaScript Security F= law =E2=80=A2 Alex MacCaw =20 | =20 | =20 | =20 | | | | | | =20 | | =20 A JavaScript Security Flaw =E2=80=A2 Alex MacCaw The following is a JavaScript security flaw: "; > > The browser ignores the fact that the > If you have the line above anywhere in your code, and @users includes > some user submitted data, your application is vulnerable to a XSS attack. > *[SM-D01-R01] *If you’re using Rails, thwart this vulnerability by > settingActiveSupport.escape_html_entities_in_json to true. The default > isfalse. > A JavaScript Security Flaw • Alex MacCaw > > > > > > > > > > A JavaScript Security Flaw • Alex MacCaw > > The following is a JavaScript security flaw: