Is the following HTML5 method more secure? If so, in what way?

Is the following HTML5?

I see this kind of code throughout the javascript for the multiple applications I need to support.

element.getAttribute("data-ajax-loading-duration")

But I see in this article:

HTML5 comparison to Old way

Instead, I read the new way to code this is by using the dataset:
   <div
       id="injectedData"
       data-untrustedinput="@untrustedInput" />

   <script>
     var injectedData = document.getElementById("injectedData");

     // All clients
     var clientSideUntrustedInputOldStyle =
         injectedData.getAttribute("data-untrustedinput");

     // HTML 5 clients only
     var clientSideUntrustedInputHtml5 =
         injectedData.dataset.untrustedinput;

Open in new window



the use of getAttribute() is the old way, not the HTML5 way, as you can see.

My goal is to block XSS URL hacks. Does the HTML5 way close any exposures?

Thanks
newbiewebSr. Software EngineerAsked:
Who is Participating?
 
Scott Fell, EE MVEConnect With a Mentor Developer & EE ModeratorCommented:
> element.getAttribute("data-ajax-loading-duration")

Let's say you have html
<div id="abc" class="success" data-ajax-loading-duration="3">The duration of ajax loading will be 3 seconds</div>

Open in new window


All that is doing is accessing the "3".  The issue is when you submit that 3 via an ajax (or direct post).  It's on the server side that you want to protect yourself.  Just reading data from a url on the client is not going to be harmful to your server.  

As far as your code, I don't work in c# or .NET.  But you want to look for anywhere data is accepted such as a GET or POST. https://msdn.microsoft.com/en-us/library/ff649310.aspx.  I also found this git from searching your code https://github.com/aspnet/Docs/blob/master/aspnetcore/security/cross-site-scripting.md.  Keep in mind this is talking about placing data in your html that is generated from the back end.  They are referring to data- attributes and placing data inside that such as the "3"  I mentioned above.  However, if that "3" gets sent back to the server, you still can't trust it and must have code to ensure safety on the back end.

To answer you question here, "Does the HTML5 way close any exposures?"  This is really a back end issue and not front end.
0
 
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
You can't trust anything on the front end (HTML/Javascript). This type of thing needs to be done on the server side. (.NET, PHP etc)
0
 
newbiewebSr. Software EngineerAuthor Commented:
Thanks. I am having a very hard time extracting the various URL's created by our own javascript, so that I can nail down the calls to our back-end which might be exposed.

I am literally search through four applications for these flags:

redirect                        
window.location
window.open
window.Server.mapPath
window.location.pathname

But it feels a bit hopeless.

Is there a way on the C# end to list all C# calls that are exposed? I feel like than means any public or protected action method, and that feels like another wrong tree to start barking up.
0
 
newbiewebSr. Software EngineerAuthor Commented:
thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.