Wednesday, 3 October 2018

Best way to XSS protect jsonify output

Which is the best way to protect from XSS-attacks via jsonify() in python Flask?

This is the Python (Flask) file:

testvar = {0: {'Name': 'df',
  'test1': 'sdf',
  'test2': 'sdf'},
 1: {'Name': 'dfdf',
  'test1': 'sdf',
  'test2': 'dfdf'},
 2: {'Name': 'dfdf',
  'test1': 'dfdfd',
  'test2': 'dfdfd<script>alert("test");</script>'}}

@app.route("/test")
def test():
    return jsonify(testvar)

This is the Javascript:

output_body = ""
$.getJSON('/test',function(data){
    $.each(data, function(key,val){
        output_body += "<tr>"
            for(property in val) {
                output_body += "<td>" + val[property] + "</td>"
            }
            output_body += "</tr>"
     });
$('table').html(output_body);
});

This code execute a js alert box.

Of course I can clean the data in js by escaping the < and >. But is there a good way to protect against a XSS attack in above example?



from Best way to XSS protect jsonify output
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)