Wrox Programmer Forums
|
BOOK: Professional XMPP Programming with JavaScript and jQuery
This is the forum to discuss the Wrox book Professional XMPP Programming with JavaScript and jQuery by Jack Moffitt; ISBN: 978-0-470-54071-8
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Professional XMPP Programming with JavaScript and jQuery section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old May 20th, 2011, 08:42 PM
Registered User
 
Join Date: May 2011
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default Question about cross site scripting

Are there any specific cautions I should take when dealing with apps built with Strophe? For example, when appending new chat messages to a page, I would have a function like this using jquery's text():

Code:
displayMessage: function (nick, message) {
	var msg = $('<div><span class="nick"></span><span class="message"></span></div>'); 
	msg.find('.nick').text(nick);
	msg.find('.message').text(message);
        $("#display").append(msg);
}
That's probably the most basic thing I can do for any kind of incoming presence/message I'll be displaying on the page (I think). I might have objects on the page that might represent a Member, and someone may pass an entire function into this object since it will probably look at presence stanzas for information like status, etc. It seems like there's a lot of places where holes will need to be plugged. Just curious if there are more specific things I should be concerned about when dealing with xmpp apps, aside from the general xss prevention tactics that I can go research elsewhere.

Should the xmpp server be assisting me with this? Thanks.

Last edited by moose1011; May 20th, 2011 at 08:54 PM..
 
Old June 5th, 2011, 11:17 PM
Wrox Author
 
Join Date: Jan 2010
Posts: 178
Thanks: 0
Thanked 16 Times in 15 Posts
Default

If you add it using text, I think it's probably safe from things that would otherwise need tag sanitation. In generally you know that if it comes over XMPP it must be well formed XML, but I'm not sure that any servers will enforce the tag subset that XHTML-IM defines. You might want to sanitize those yourself just to be safe.





Similar Threads
Thread Thread Starter Forum Replies Last Post
Article: ASP.NET Security Preventing Cross-Site Scripting jminatel BOOK: Professional ASP.NET 3.5 Security, Membership, and Role Management ISBN: 978-0-470-37930-1 1 June 18th, 2010 06:36 PM
Cross-Site Scripting wanderer BOOK: Professional ASP.NET 3.5 Security, Membership, and Role Management ISBN: 978-0-470-37930-1 0 June 18th, 2010 06:29 PM
Cross-platform scripting jhusain XSLT 1 January 13th, 2005 05:37 AM
Cross-frame scripting, works in FF but not IE Snib Javascript 4 October 25th, 2004 08:54 PM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.