Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Anytime is possible for the data that returns to be interpolated by the client, you could have xss or related attack.

Client side rendering does help but mistakes are still regularly made. Sometimes by the app dev, sometimes by the framework dev.

You could probably go to an extreme and return all of your application data as sprites.



Of course you can still do <div> + input + </div> in CSR, but you can definitely not do myelement.textContent = whateverIGot in SSR, right?


you can use a template engine that escapes all variables by default. in either case, it's just about coding defensively and being secure by default


Then why is parameter query safer? And not just escapes variables? Escaping is hard, as shown in the article


generating html using find and replace/regex safely is hard. escaping is easy. and the solution is to just not generate html using find and replace. You'll run into the exact same problem trying to do a bbcode/markdown/whatever parser using javascript




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: