A7:2017 - Cross-Site Scripting (XSS)

Unofficial Content

Actions by GeneXus

  • GeneXus validates attribute's and variable's types and length.
  • It gives the developer the possibility to specify regular expressions to validate custom entries.
  • GeneXus encodes every data entries on Web Pages generated considering its context (JavaScript, JSON, etc). The developer can disable this function, if he does then he must code this function properly.

Actions by Developers

  • Validate enriched text (like HTML) format entries. Whitelisting is adviced.
  • If a User control or custom HTML code is used the developer must sanitize the user's entries properly.
    • Security Scanner helps to detect this scenario with case codes #101, #109, #117, #118, #121 & #124.
  • The use of the OWASP XSS Prevention Cheat Sheet is adviced.
  • Set the Content Security Policy for browsers properly.
  • Set Session Cookies as HTTPOnly.
    • Security Scanner helps to detect this scenario with case code #124.

 

.