I\'m (still) working on a template-based XML editing program. It\'s a GUI-based

Question

I'm (still) working on a template-based XML editing program. It's a GUI-based XML editor that only allows users to add certain tags and attributes based off the requirements. You can see the current version here for an idea.

Now, I'd like to allow users to upload their own data templates, but I'm concerned about potential XSS hacks. Currently, the template file is in Javascript object literal notation, which unsurprisingly is a security nightmare if the user can upload their own. I was thinking of using XML instead, but is there an even better alternative?

Explanation / Answer

As long as the only person to see what has been uploaded is the user who did that, then per definition it's not cross site scripting, and not a security issue. (The user can already break his own browser to his heart's content)

It might however become a usability issue, and you might want to protect the user from breaking your system through invalid templates.

Also, if you are thinking of possibly allowing users to share templates, then it might make sense to have a safe template system. This could however just mean that you parse the upload with a json parser (and possibly store the result of the parsing, not the original), and reject anything that fails the parser.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.