Search

GlobalSCAPE Knowledge Base

What sort of DOM XSS (client XSS) mitigation techniques does EFT use?

Karla Marsh
EFT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT v7. and later

QUESTION

What sort of DOM XSS (client XSS) mitigation techniques does EFT use?

ANSWER

Document Object Model (DOM)-based Cross-Site Scripting (XSS) is a client (browser)-side injection issue in which the attack is injected into the application during runtime in the client (browser) directly.

To mitigate DOM XSS, EFT behaves per the following guidelines:

  • Be careful with untrusted data: When forced to deal with untrusted data, EFT’s web client only uses it for displayable text (rather than execution) and instead relies on EFT server for the rest of its data for execution, including templated Javascript.
  • Use safe methods when dynamically rendering HTML: EFT’s web client uses methods and practices recommended by OWASP for creating dynamic interfaces.
  • Use caution when dealing with methods that implicitly eval() data and with eval() itself: EFT’s web client uses OWASP-approved methods of parsing JSON payloads.
Details
Last Modified: 5 Years Ago
Last Modified By: kmarsh
Type: INFO
Rated 2 stars based on 2 votes.
Article has been viewed 19K times.
Options
Also In This Category
Tags