CT handling of stringTest=xss #64
Comments
|
(1) yes, in continuous-server.js "xss-fuzz" uses query parameters |
Sometimes having the sim show certain screens/scenes/situation may trigger XSS failures, so there is a very slight advantage to do this (but may not be worth the additional time)
We can always update guidelines, but it would be nice to fix things so errors don't come up if possible (or we'd want to find a way to suppress things in the CT reports).
What would you recommend? |
|
Looks like this issue went into limbo because it's not assigned. It's now almost 19 months old. Re-labeling for developer meeting and assigning to @ariel-phet. |
|
8/13/20 We discussed that it is generally useful to run ?fuzz with ?stringTest=xss for the reasons in #64 (comment). It is worth the time on CT and catching the rare issue it finds is worth the time. This test combination IS currently being run on CT. Closing this issue. |
Over in phetsims/projectile-motion#171, CT failures were noted with header "projectile-motion : xss-fuzz : run". I assume that this means something like
?ea&stringTest=xss&fuzz. And in fact I was only able to reproduce these failures with?ea&stringTest=xss.From the code-review check list:
So there is no requirement to fix anything other than a redirect for
stringTest=xss.Questions:
(1) Does "projectile-motion : xss-fuzz : run" indeed mean
?ea&stringTest=xss&fuzz?(2) Why are we running
stringTest=xssandfuzztogether?(3) Why are we reporting anything other than a redirect for
stringTest=xss?(4) Should we change our policy for
stringTest=xss, or tolerate related CT failures? The latter seems problematic.The text was updated successfully, but these errors were encountered: