When storing user-entered data, Maximizer and the Octopus API do not perform any data sanitation or escaping, so it is up to user-interface developers to ensure that string fields retrieved from Octopus API are properly sanitized and escaped before displaying them in any web-based interface.
Keep the following points in mind when displaying string fields returned from Maximizer.Web.Data:
- For fields that are not expected to contain HTML code, which includes most Maximizer fields, all strings should be HTMLencoded before being displayed in the UI using a function like HttpUtility.HtmlEncode method provided by the .NET Framework or the escape function in JavaScript.
- For fields that are expected to contain HTML code, such as the RichText field for notes, the data returned by Maximizer.Web.Data should be sanitized before being displayed to protect against potential Cross-site Scripting (XSS) attacks. In general, any
script,iframe,object,embed, orlinktags should be removed, and only tags such asstrong,em,p,ul,ol,li, and other basic formatting tags should be allowed.
For more information about XSS attacks and resources for sanitizing data, refer to the Open Web Application Security Project site: https://www.owasp.org/index.php/Crosssite\_Scripting\_(XSS)