Securely Inserting User Generated Content and JSON Into Templates
A Cocktail Approach
Created by Amira Anuar
Securely? Why?
Disclaimer
insert image/note here related to this being a smorgasboard of various things and that I am not an expert
Different Browser Contexts
HTML Body -- <body>${ text }</body>
Element Attribute -- <a href="" onclick="{...}"/>
Links With JS -- <a href="javascript:alert(1)">
JS String Literal -- <script>var x='${foo}' >/script>
JSON Body Responses
E-mail addresses
URLs
So on...
How?