This topic contains some examples and best practice advice.

• Common Security Risks
• HTML Encoding
• Cross-Site Request Forgery (CSRF) Protection
• Premium Resource: Fetching CSRF Token

Common Security Risks

The following booklet provides a quick overview of the ten most critical web application security risks that developers commonly introduce:

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

HTML Encoding

For those writing JavaScript in LabKey wiki pages and views, the most common risk is script injection. This occurs when your code accepts text input from a user and immediately displays it without HTML encoding it. Or when your code saves user input to the database and later displays that input in a web page without HTML-encoding it. In general, you should HTML-encode every value entered by a user before displaying it in a page, as this prohibits a malicious user from entering JavaScript that could be executed when dynamically added to the page as HTML. HTML encoding will convert all characters that would normally be interpreted as HTML markup into encoded versions so that they will be interpreted and displayed as plain text and not HTML.

To HTML-encode text, use the following function from LABKEY.Utils, which is always available to you in a LabKey wiki page or view. For example:

<div id="myDiv"/>

<script>
var myValue = ...value from input control...
var myValueEncoded = LABKEY.Utils.encodeHtml(myValue);

// Display encoded value:
document.getElementById("myDiv").innerHTML = myValueEncoded;
</script>

For more information on web development and security risks, see the following site:

http://www.owasp.org/index.php/Main_Page

Related Topics

• Security
• Common Development Tasks