Serializing configuration to client should do the proper encoding

Question

Serializing configuration to client should do the proper encoding

imalberto opened this issue 11 years ago · 9 comments

See Trello card 745 for more info

Answer 1 · 2013-09-24T22:59:27.000Z

Here is the implementation used in Mojito today:
https://github.com/yahoo/mojito/blob/develop/lib/app/autoload/util.common.js#L105

And here is where we clean up YUI_config before sending it to the client side:
https://github.com/yahoo/mojito/blob/develop/lib/app/addons/ac/deploy.server.js#L127

Answer 2 · 2013-09-25T04:45:41.000Z

Can you guys point to some documentation that explains the attack vector? An authoritative blog post would do — I want to have something to link to in the code and HISTORY.md, and also have an example to test.

Answer 3 · 2013-10-03T20:01:32.000Z

There are also other issues related with the encoding. Like this one:

YahooArchive/mojito#1257

Answer 4 · 2013-10-03T21:19:34.000Z

The encoding was originally put in place in response to bugzilla ticket 5590319 (marked as S1).

Comment 10 of that bug has a valid (in my mind) question which no one seemed to answer (in the bug log):
"Where does this config data come from, is it locally sourced form the machine, or does it come form the browser?"

Answer 5 · 2013-10-03T21:21:34.000Z

Encoding was added in commit YahooArchive/mojito@83a68da453.

Answer 6 · 2013-10-03T23:58:51.000Z

Yeah, the reality was that cofnig was coming from a merge between the locally sourced from the machine + any custom config produced by controllers (which could include request data). That's not longer the case for configs, but it is still a valid point for any data pushed thru the data channels in mojito. Which means that this encoding is still a very valid concern. I will probably recommend to add encoding by default in express-state for any res.expose() call, unless the specific call is flagged somehow. While app.expose() is probably fine with the encoding disabled by default since it happens before requests arrive (in most cases).

Answer 7 · 2013-10-15T16:14:53.000Z

While app.expose() is probably fine with the encoding disabled by default since it happens before requests arrive (in most cases).

I won't differentiate between the app vs. res expose() calls because it all gets grouped together and it's easy to call req.app.expose() (not sure why you would, but very easy), also I'll do the encoding at serialization time which means both the app- and response- level data will get encoded.

Answer 8 · 2013-10-15T16:22:23.000Z

@caridy I wonder if the solution to fixing escaped unicode chars in URLs (YahooArchive/mojito#1257) is to use HTML entities like YUI's Y.Escape.html() function uses: http://yuilibrary.com/yui/docs/api/files/escape_js_escape.js.html#l10

Answer 9 · 2013-10-17T00:27:04.000Z

Alright, once we start using express-state in mojito, we can remove a lot of code :)