12.4.1 Files obtained from untrusted sources are stored outside the web root

Verify that files obtained from untrusted sources are stored outside the web root, with limited permissions, preferably with strong validation.

Level 1 X
Level 2 X
Level 3 X
CWE NIST
922  

General

Are IFRAME elements used to load in content from external parties (for instance from advertisers)? Can they be subverted to load in a URL from an attacker? Validate URLs passed to XMLHttpRequest.open, current browsers allow these URLs to be cross domain and this behavior can lead to code injection by a remote attacker. Pay extra attention to absolute URLs.