Jquery Ajax returning decoded XML attributes allow XSS



I have a jquery ajax call that returns XML. On the server we are encoding the xml attributes using the Antixss library from Microsoft, specifically calling Encoder.XmlAttributeEncode.


The results on the server are properly encoded



<data><item att1="Test" val="&lt;script&gt;alert(&quot;XSSFIX&quot;);&lt;/script&gt;" /></data>


But when the xml is returned to the client the xml is showing decoded



<data><item att1="Test" val="<script>alert("XSSFIX")</script>;" /></data>


The attributes are pulled out and appended to the DOM. Looking at best practices on handling this situation.


No comments:

Post a Comment