| Risk
|
Mitigation Strategy
|
| DOM XSS vulnerabilities, as identified in previous security review:https://bugzilla.mozilla.org/show_bug.cgi?id=688058
|
- Implement a whitelist of acceptable sites to load
- Correctly entity encode any user supplied input prior to addition to the DOM
- All Javascript will be stripped using Bleach before it is served
|
| Documents hosted via the API could be used as link farms
|
- Documents will be delivered with a
X-Robots-Tag: noindex, nofollow header.
|
| Database insertion could be used as a DOS attack vector
|
- Rate limiting will be implemented along with above size limitations
- size limitations to detect likely infringing data-uri content
|