asked on

Is the following HTML5 method more secure? If so, in what way?

Is the following HTML5?

I see this kind of code throughout the javascript for the multiple applications I need to support.

element.getAttribute("data-ajax-loading-duration")

But I see in this article:

HTML5 comparison to Old way

Instead, I read the new way to code this is by using the dataset:

   <div
       id="injectedData"
       data-untrustedinput="@untrustedInput" />

   <script>
     var injectedData = document.getElementById("injectedData");

     // All clients
     var clientSideUntrustedInputOldStyle =
         injectedData.getAttribute("data-untrustedinput");

     // HTML 5 clients only
     var clientSideUntrustedInputHtml5 =
         injectedData.dataset.untrustedinput;

Open in new window

the use of getAttribute() is the old way, not the HTML5 way, as you can see.

My goal is to block XSS URL hacks. Does the HTML5 way close any exposures?

Thanks

Scott Fell

You can't trust anything on the front end (HTML/Javascript). This type of thing needs to be done on the server side. (.NET, PHP etc)

curiouswebster

ASKER

Thanks. I am having a very hard time extracting the various URL's created by our own javascript, so that I can nail down the calls to our back-end which might be exposed.

I am literally search through four applications for these flags:

redirect
window.location
window.open
window.Server.mapPath
window.location.pathname

But it feels a bit hopeless.

Is there a way on the C# end to list all C# calls that are exposed? I feel like than means any public or protected action method, and that feels like another wrong tree to start barking up.

ASKER CERTIFIED SOLUTION

Scott Fell

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

curiouswebster

ASKER

thanks