Xojo Web, XSS and CSRF

I have been doing some research on how to secure web applications to ensure that my customer’s data is protected. I was wonder how Xojo deals with the following:

  • Cross-site Scripting (XSS). Does anyone have experience on implementing ways to thwart XSS attacks? How would we go about programming a site to that filter’s out and validates the data sent?
  • Cross-Site Request Forgery (CSRF). Does anyone have experience implementing ways to thwart a CSRF attack? Do you build your own token system, or is there something already built that can be used? I have noticed that other frameworks such as Django have this built in.

Are these things that we need to be concerned with, or does the way Xojo application compile minimize these attacks?


[quote]Cross-Site Scripting
Xojo web apps can’t be used for this purpose because all data sent to the browser is automatically escaped. As a result, the user cannot inject HTML into a page. Also, because the developer doesn’t work in HTML or JavaScript, there’s no way for the developer to accidentally create this security breach.[/quote]

[quote] Cross-Site Request Forgery
When the user logs into a web site (such as a banking site) and then leaves by navigating to a page of another site without first logging out, the original site will still see the user is logged in until their session times out. The developer can mitigate this by reducing the timeout from the 60 second default.

Great news regarding Cross-Site scripting…thank you :slight_smile:

For CSRF, most of what I’ve read and other frameworks seem to point to headers and tokens rather then modifying the timeout settings. From what I can understand, it is rather complex to implement this effectively. Is this something that is taken care of within the existing Web framework, or it is something that we (programmers) need to build into our applications?

Edit…wanted to add a link to a site that talks about this.