Actions by GeneXus
- GeneXus validates attribute's and variable's types and length.
- It gives the developer the possibility to specify regular expressions to validate custom entries.
Actions by Developers
- Validate enriched text (like HTML) format entries. Whitelisting is adviced.
- If a User control or custom HTML code is used the developer must sanitize the user's entries properly.
- Security Scanner helps to detect this scenario with case codes #101, #109, #117, #118, #121 & #124.
- The use of the OWASP XSS Prevention Cheat Sheet is adviced.
- Set the Content Security Policy for browsers properly.
- Set Session Cookies as HTTPOnly.
- Security Scanner helps to detect this scenario with case code #124.
- Security Scanner - Detections:
- HTML Format (#101), Httpresponse data type usage (#109), Form.HeaderRawHtml (#117), Form.JScriptSrc property (#118), External Object usage (#120), User Control usage (#121), JSEvent usage (#130).