Skip to content

Fixing JS injection #353

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Johndiology opened this issue Jul 6, 2021 · 3 comments
Closed

Fixing JS injection #353

Johndiology opened this issue Jul 6, 2021 · 3 comments

Comments

@Johndiology
Copy link

Our security team tells us that our Ajax calls are vulnerable to JS injection. They recommended URI encoding our responses. In trying to resolve this I happened on
this.transport.send(this.body);
in prototype.js and figured it could be
this.transport.send(encodeURIComponent(this.body));
But I'm kind of guessing here, as I don't understand a lot of this library. In any case, it didn't work. Or rather, it did URI encode our response parameters but then we have other form inputs that are now all "unnamed_argument_[x]".
I'd like to understand how to resolve this.
Thanks.
@jwestbrook
Copy link
Collaborator

That section of code is how the Ajax class sends the request to the server, not the response from the server.

I believe this is more about how the response is handled, so if the headers are Javascript, and the response is from the same origin then the response will be treated as Javascript and evaluated.

You can disable this behavior by setting the evalJS option to false.

For example

new Ajax.Request('/my/ajax/url',{'evalJS':false,'onSuccess':function(result){
    console.log(result.responseText);
});

@Johndiology
Copy link
Author

Thanks very much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jwestbrook @Johndiology and others