A7:2017 - Cross-Site Scripting (XSS)

Official Content

Actions by GeneXus

  • GeneXus validates attribute's and variable's types and length.
  • It gives the developer the possibility to specify regular expressions to validate custom entries.
  • GeneXus encodes every data entries on Web Pages generated considering its context (JavaScript, JSON, etc). The developer can disable this function, if he does then he must code this function properly.

Actions by Developers

  • Validate enriched text (like HTML) format entries. Whitelisting is adviced.
  • If a User control or custom HTML code is used the developer must sanitize the user's entries properly.
    • Security Scanner helps to detect this scenario with case codes #101, #109, #117, #118, #121 & #124.
  • The use of the OWASP XSS Prevention Cheat Sheet is adviced.
  • Set the Content Security Policy for browsers properly.
  • Set Session Cookies as HTTPOnly.
    • Security Scanner helps to detect this scenario with case code #124.
  • Security Scanner - Detections:
    • HTML Format (#101), Httpresponse data type usage (#109), Form.HeaderRawHtml (#117), Form.JScriptSrc property (#118), External Object usage (#120), User Control usage (#121), JSEvent usage (#130).