NimbostratusWhen i write iRules, I often use something like
HTTP::respond 403 content "Error: variable $somevar not in datagroup"My concern here is, $somevar is userdefined data - often a part of HTTP::path/uri.
What I am worried about is that this practice is vulnerable to XSS attacks.
Is there a standard way in the iRule language which can eliminate XSS vulnerabilities in this scenario?
CirrostratusI'm no security expert but if the value is user supplied the user would be only be 'attacking' themselves as only they would get this response?
If the user was 'innocent' and had clicked a malicious link to cause this, why would the attacker use this method, the original link would have sufficed?
You can use URI::decode to expose some practises and also split the $somevar data in some way with spaces (HTTP::path 'space' HTTP::uri) so the link isn't actually 'clickable'.
CirrostratusOK, I get that but what does this have to do with your HTTP::respond command? I don't see the connection, the link has already been clicked.
EmployeeI'd perhaps suggest two things:
Set the HTTPOnly flag on all cookies. It's of course not a 100% solution, but it would prevent most script-based access to cookies.
As WLB suggests, simply URI::encode the output value:
HTTP::respond 403 content "Error: variable [URI::encode $somevar] not in datagroup"