> I fail to see the difference between code that is inlined in a html file that
> is part of the app and code that is loaded from a js file.
>
> Would it work if I move all inline script snippets into files?
> Instead of "<p><script>alert("XSS");</script></p>" I would write "<p><script
> src='alert.js"/></p>"
> With alert.js containing "alert('XSS');"
>
> If this works than how does it improve security?
>
An attacker can never create a file within your packaged app.
But an attacker *may* be able to create a script tag within a vulnerable
application by injecting script tags into calls to innerHTML.
My feedback with the Cordova people is btw. pending, you can follow the
conversation online[1] - It also contains some interesting suggestions
on how to automatically externalize all your inline scripts[2].
[0]
http://callback.markmail.org/search/?q=#query:%20list%3Aorg.apache.incubator.callback-dev+page:1+mid:xmy6it4tkokcfktc+state:results
[1]
http://callback.markmail.org/search/?q=#query:%20list%3Aorg.apache.incubator.callback-dev+page:1+mid:xagvpmc2m3nw2m6w+state:results
_______________________________________________
dev-b2g mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-b2g
