curiouswebster
asked on
Is the following HTML5 method more secure? If so, in what way?
Is the following HTML5?
I see this kind of code throughout the javascript for the multiple applications I need to support.
element.getAttribute("data -ajax-load ing-durati on")
But I see in this article:
HTML5 comparison to Old way
Instead, I read the new way to code this is by using the dataset:
the use of getAttribute() is the old way, not the HTML5 way, as you can see.
My goal is to block XSS URL hacks. Does the HTML5 way close any exposures?
Thanks
I see this kind of code throughout the javascript for the multiple applications I need to support.
element.getAttribute("data
But I see in this article:
HTML5 comparison to Old way
Instead, I read the new way to code this is by using the dataset:
<div
id="injectedData"
data-untrustedinput="@untrustedInput" />
<script>
var injectedData = document.getElementById("injectedData");
// All clients
var clientSideUntrustedInputOldStyle =
injectedData.getAttribute("data-untrustedinput");
// HTML 5 clients only
var clientSideUntrustedInputHtml5 =
injectedData.dataset.untrustedinput;
the use of getAttribute() is the old way, not the HTML5 way, as you can see.
My goal is to block XSS URL hacks. Does the HTML5 way close any exposures?
Thanks
You can't trust anything on the front end (HTML/Javascript). This type of thing needs to be done on the server side. (.NET, PHP etc)
ASKER
Thanks. I am having a very hard time extracting the various URL's created by our own javascript, so that I can nail down the calls to our back-end which might be exposed.
I am literally search through four applications for these flags:
redirect
window.location
window.open
window.Server.mapPath
window.location.pathname
But it feels a bit hopeless.
Is there a way on the C# end to list all C# calls that are exposed? I feel like than means any public or protected action method, and that feels like another wrong tree to start barking up.
I am literally search through four applications for these flags:
redirect
window.location
window.open
window.Server.mapPath
window.location.pathname
But it feels a bit hopeless.
Is there a way on the C# end to list all C# calls that are exposed? I feel like than means any public or protected action method, and that feels like another wrong tree to start barking up.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks