12.4.1 Files obtained from untrusted sources are stored outside the web root¶
Verify that files obtained from untrusted sources are stored outside the web root, with limited permissions, preferably with strong validation.
| Level 1 | X |
| Level 2 | X |
| Level 3 | X |
| CWE | NIST |
|---|---|
| 922 |
General¶
Are IFRAME elements used to load in content from external parties (for instance from advertisers)? Can they be subverted to load in a URL from an attacker? Validate URLs passed to XMLHttpRequest.open, current browsers allow these URLs to be cross domain and this behavior can lead to code injection by a remote attacker. Pay extra attention to absolute URLs.