When developing dynamic web pages in LabKey Server, you should be careful not to introduce unintentional security problems that might allow malicious users to gain unauthorized access to data or functionality.

This topic contains some examples and best practice advice.

Common Security Risks

The following booklet provides a quick overview of the ten most critical web application security risks that developers commonly introduce:

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

HTML Encoding

For those writing JavaScript in LabKey wiki pages and views, the most common risk is script injection. This occurs when your code accepts text input from a user, perhaps saves it to the database, and then later displays that input in a web page without HTML-encoding it. In general, you should always HTML-encode all text entered by a user before displaying it the page, as this prohibits a malicious user from entering JavaScript that could be executed when dynamically added to the page as HTML. HTML-encoding will convert all characters that would normally be interpreted as HTML markup into encoded versions so that they will be interpreted and displayed as plain text and not HTML.

To HTML-encode text, use the following function in the Ext library, which is always available to you in a LabKey wiki page or view:

var myValue = ...value from input control...
var myValueEncoded = Ext.util.Format.htmlEncode(myValue);

/ / … save myValueEncoded to the database, or redisplay it as follows:
Ext.get("myDisplayElement").update(myValueEncoded);

For more details on the Ext.util.Format class, see the Ext API documentation at the following link:

http://www.extjs.com/deploy/dev/docs/?class=Ext.util.Format

For more information on web development and security risks, see the following site:

http://www.owasp.org/index.php/Main_Page

Related Topics

Discussion

Was this content helpful?

Log in or register an account to provide feedback


previousnext
 
expand all collapse all