Menu

Search

GlobalSCAPE Knowledge Base


What sort of DOM XSS (client XSS) mitigation techniques does EFT use?


kmarsh
EFT Express (SMB) & Enterprise

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT v7. and later

QUESTION

What sort of DOM XSS (client XSS) mitigation techniques does EFT use?

ANSWER

Document Object Model (DOM)-based Cross-Site Scripting (XSS) is a client (browser)-side injection issue in which the attack is injected into the application during runtime in the client (browser) directly.

To mitigate DOM XSS, EFT behaves per the following guidelines:

  • Be careful with untrusted data: When forced to deal with untrusted data, EFT’s web client only uses it for displayable text (rather than execution) and instead relies on EFT server for the rest of its data for execution, including templated Javascript.
  • Use safe methods when dynamically rendering HTML: EFT’s web client uses methods and practices recommended by OWASP for creating dynamic interfaces.
  • Use caution when dealing with methods that implicitly eval() data and with eval() itself: EFT’s web client uses OWASP-approved methods of parsing JSON payloads.

Also In This Category


On a scale of 1-5, please rate the helpfulness of this article


Not Helpful
Very Helpful
Optionally provide private feedback to help us improve this article...

Thank you for your feedback!


Comments require login or registration.

Details
Last Modified: Last Week
Last Modified By: kmarsh
Type: INFO
Article not rated yet.
Article has been viewed 115 times.
Options
Find Similar