13 Aug 2012 8:06 AM #18
16 pages of people re-covering the same material over and over again...
I get the impression that people are talking about different things here. I think MrSparks is advocating server-side input sanitization whereas joeri is trying to argue the case against server-side HTML encoding. Different things but both relevant to XSS.
I fall into the camp that believes it is primarily the UI's responsibility to encode data to avoid HTML/JS-injection attacks but it would be wrong to suggest that the server can't help through input validation.
For example, imagine a username should only contain alphanumeric characters and that users can see each other's usernames. This is potentially a target for a script-injection attack. In this case the server (or DB) should be ensuring that all new users have valid alphanumeric usernames, thus removing any potential for them to contain script tags.
However, that is where the server's responsibility ends. It should not be HTML encoding data before including it in JSON responses. HTML encoding should be done in the UI and where possible it should be the default. Perhaps if all of your user-provided data is purely alphanumeric you can protect yourself just using server-side input sanitization but in the general case that doesn't apply. I'd argue it's naive to skip HTML encoding even in the alphanumeric case: relying on a distant part of the security layer to protect you is asking for trouble. All systems have security holes and not encoding is just another chink in the armour for hackers to exploit - many successful attacks rely on multiple small holes like this to get in.
Sencha have acknowledged that there's a problem here. There are a number of reasons why it hasn't been implemented yet: performance, increased code complexity, backwards compatibility, time investment required, availability of workarounds, ...