What sort of DOM XSS (client XSS) mitigation techniques does EFT use?

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v7. and later

QUESTION

What sort of DOM XSS (client XSS) mitigation techniques does EFT use?

ANSWER

Document Object Model (DOM)-based Cross-Site Scripting (XSS) is a client (browser)-side injection issue in which the attack is injected into the application during runtime in the client (browser) directly.

To mitigate DOM XSS, EFT behaves per the following guidelines:

• Untrusted data should only be treated as displayable text. (EFT doesn't use any untrusted data to set functionality anywhere, thus only using it for display or as data sent to server and then used.)
• Always JavaScript encode and delimit untrusted data as quoted strings when entering the application when building templated Javascript. (EFT only uses templating to receive configuration data from the EFT server. EFT doesn’t encode it.)
• Use document.createElement("..."), element.setAttribute("...","value"), element.appendChild(...) and similar to build dynamic interfaces.
• Avoid sending untrusted data into HTML rendering methods. (EFT doesn't render untrusted data; it only populate these methods with data from the server, or with static data that we provide.)
• Avoid the numerous methods which implicitly eval() data passed to it.
• Limit the usage of untrusted data to only right-side operations.
• When URL encoding in DOM, be aware of character set issues.
• Limit access to properties objects when using object[x] accessors.
• Don’t eval() JSON to convert it to native JavaScript objects.