Quote Originally Posted by DiscoBoy View Post
1) What if I use input ExtJS fields, where I would use OUTPUT in the value parameter (checkbox {value: MALICIOUSCODE}). How would you address this?

2) I have plenty of UI parts where I display server OUTPUT. Wouldn't it be better to sanitize already at the level of receiving the OUTPUT from the server, means overwriting certain MODEL/READER methods to catch malicious code already at the point when I load it from an external resource? This way I need to sanitize once and not for every UI component.

3) The cheat sheet is quite long, did you implement checks for every mentioned case? Would you share your code? I would imagine this sanitizing is quite costful in processing time

4) How do you sanitize strings wthat are displayed in grids/trees?
  1. The value is not serialized into html but assigned via the DOM API, so there is no risk for XSS if you assign a value in this way. There is a danger in components that use a template for rendering (combobox, dataview, grid, ...), but this is only for the output of the selected value's label / data.
  2. In my personal opinion if you do this at the model level then you are embedding knowledge about how the view layer operates into your model (because of context-aware encoding). This is not a proper way to separate MVC concerns.
  3. For XSS entity encoding we only use the htmlEncode function (with a tweak, see my ExtJS 3.4.1 overrides on this forum) to generate data for the html or html attribute context (if you use double quotes religiously then you can use htlmEncode's output in an attribute). We never put untrusted data in other contexts. If we need data inside javascript, then we implement a web service to fetch it as JSON data.
  4. Grids and trees use htmlEncode just like anything else. You have to remember to put renderer: Ext.util.Format.htmlEncode on every column.

You are right in pointing out that htmlpurifier is only good for html text (rich text). For input sanitization of non-html data on the server we have developed a DTO-based solution in PHP which uses static annotations to validate all data in the server-side web service layer automatically. I gave a tech talk about it recently, and there's an example implementation of it that I've put up on github.