security
Notes
- Never allow user input inside JavaScript block comments
/\* \*/ even when JS escaped.
- Attacker-supplied input such as
*/alert(1)/* within the
quoted string will escape out of the comment and execute
arbitrary Javascript without using any dangerous
characters.
- For JSON requests
- Use a parser-breaking prefix -
)]}'\n
- In addition, use signed urls.
- Maybe also require a special XMLHttpRequest header
or only serve JSON in POST requests.
- Dangerous stuff
evalsetTimeoutsetInterval{}.toString.constructor('alert(1)')
