javascript - Is CSRF possible in Aurelia if XSS attacks are mitigated? -


  • i have aurelia app .net web api.
  • i communicate api via ajax calls.
  • i authenticate using bearer token stored in browser localstorage.

i've heard insecure token can retrieved through xss attack. there 1 input on website user can add comments. i'm binding comment value using string interpolation e.g.:

${commenttext} 

my understanding is impossible inject html binding this.

is there xss attack possible aurelia site if no html bindings used? , if not, therefore protected csrf attacks if token inaccessible?

the examples i've seen online, if user can inject html (through form of input) page in xss attack revealing token attacker. haven't been able replicate string interpolation binding.

this isn't full answer question, aurelia html escape text interpolated in template ${commenttext}.

the exception rule when use innerhtml binding <div innerhtml.bind=“htmltext”></div>. in case don't any sanitization of text being sent html. that's you.


Comments

Popular posts from this blog

Is there a better way to structure post methods in Class Based Views -

performance - Why is XCHG reg, reg a 3 micro-op instruction on modern Intel architectures? -

jquery - Responsive Navbar with Sub Navbar -