Question about cross site scripting

moose1011 · May 20th, 2011, 08:42 PM

Are there any specific cautions I should take when dealing with apps built with Strophe? For example, when appending new chat messages to a page, I would have a function like this using jquery's text():

Code:

displayMessage: function (nick, message) {
	var msg = $('<div><span class="nick"></span><span class="message"></span></div>'); 
	msg.find('.nick').text(nick);
	msg.find('.message').text(message);
        $("#display").append(msg);
}

That's probably the most basic thing I can do for any kind of incoming presence/message I'll be displaying on the page (I think). I might have objects on the page that might represent a Member, and someone may pass an entire function into this object since it will probably look at presence stanzas for information like status, etc. It seems like there's a lot of places where holes will need to be plugged. Just curious if there are more specific things I should be concerned about when dealing with xmpp apps, aside from the general xss prevention tactics that I can go research elsewhere.

Should the xmpp server be assisting me with this? Thanks.

metajack · June 5th, 2011, 11:17 PM

If you add it using text, I think it's probably safe from things that would otherwise need tag sanitation. In generally you know that if it comes over XMPP it must be well formed XML, but I'm not sure that any servers will enforce the tag subset that XHTML-IM defines. You might want to sanitize those yourself just to be safe.