Sidebar Gadget Security: Inspect Your Gadget
Michael Howard has written up some guidance on how to develop secure Vista Sidebar Gadgets:
http://msdn2.microsoft.com/en-us/library/bb498012.aspx
Take some time to check this out if you're writing a Sidebar Gadget that touches data from a remote source.
Review a Gadget for Security Bugs
As a first order analysis, the following should be carefully reviewed to make sure they are not introducing security bugs.
- Verify that all innerHtml constructs render only trusted or sanitized data.
You can use the innerText property to add untrusted data into the DOM safely. - Verify that all document.write method calls render only trusted or sanitized data.
Again, use the innerText property to add untrusted data into the DOM safely. - Verify that all calls into the Gadget object model or ActiveX controls instantiated in the Gadget pass validated data. As an example, be careful when calling System.Sidebar.Execute.
- Verify that all calls to eval() pass validated data.
- Verify that all ActiveX controls used by the Gadget are secure (no buffer overruns, integer overruns, and such).
1 comment:
Hi, your blog seems to be really nice!! Are you interested in exchanging links? My blog is at http://changingtechnology.blogspot.com/ and it’s about the latest gadgets and the technology used. Do let me know if you are interested. I too will put up a link to your blog on mine. Thanks.
Post a Comment