diff options
author | Michael Catanzaro <mcatanzaro@redhat.com> | 2021-12-14 16:42:30 -0600 |
---|---|---|
committer | Marge Bot <marge-bot@gnome.org> | 2021-12-15 19:45:42 +0000 |
commit | 2f0fcea640b6219e55ceb02aba796158e49650a4 (patch) | |
tree | b7d061f49baf2ef5e292efc35dccf4c508e88a0b | |
parent | 31768a0e73f183cc29c1837f158d41b423d3ffef (diff) | |
download | epiphany-2f0fcea640b6219e55ceb02aba796158e49650a4.tar.gz |
Add anti-XSS rules to HACKING file
Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1045>
-rw-r--r-- | HACKING.md | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/HACKING.md b/HACKING.md index 545d7c960..8a050769f 100644 --- a/HACKING.md +++ b/HACKING.md @@ -167,6 +167,19 @@ more `WebKitWebExtension`s (web process extensions). Meanwhile, each `WebKitWebView` will have one or more `WebKitWebPage`s. Only one page will be active in a view at a given time: the other pages are for process swaps. +# Security + +When injecting untrusted data into web content, you need to properly encode the +data for the relevant context in order to prevent XSS vulnerabilities. For +example: page titles could be malicious, URLs could be malicious, web app IDs +could be malicious, etc. You must carefully read and understand the [OWASP +XSS Prevention rules](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) +or you will mess up. `lib/ephy-output-encoding.h` contains functions to help +with this. + +When working with JavaScript, pay particular attention to Rule #8 "Prevent DOM- +based XSS" as it is tricky and requires care throughout your JavaScript. + # Debugging To enable debugging use the configure option `-Ddeveloper_mode=true`. |