Windows SideBar and Gadget Security Considerations

The Windows SideBar is a process that hosts small applications called gadgets written in HTML and JavaScript. You should treat gadgets as fully trusted code that run in the same security context as the user. When writing a gadget be aware that they can be subject to cross-site scripting bugs (Howard, LeBlanc, Viega 2005) if the gadget does not sanitize untrusted input correctly. You should adhere to the following best practices if your gadget renders untrusted data.

Most importantly, verify the data is correctly formatted using a regular expression and don't look solely for bad input characters, rather look for what you expect the input to be.

Set the gadget's HTML pages to use a predefined and appropriate codepage such as the following:

 <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

As a defense-in-depth mechanism, encode all untrusted data with code such as the following sample, which will perform HTML encoding and neuter any script.

 function sanitizeHTML(s) {    s = s.replace(/'/g,"'");    s = s.replace(/"/g,""");    var d = document.createElement('div');    d.appendChild(document.createTextNode(s));    return d.innerHTML; }

You should always enclose untrusted data in quotes when used as an attribute's value. Also validate untrusted data used as URL values beginning with a supported protocol like http://, https://, etc. (This will prevent attacks where a URL allows script, such as <A HREF= “javascript:alert(document.cookie)”>Link1</A>