Analyze the OCMF format and the SAFE XML Container format for fields, parameters, and values that may be unsafe when rendered in UI components, logs, error messages, reports, HTML exports, PDFs, or debug views. The focus is on XSS and similar injection issues caused by insufficient escaping, unsafe HTML rendering, XML handling, or string interpolation.
TODOs
- Review all OCMF fields and SAFE XML Container elements/attributes that may contain user-controlled or externally supplied text.
- Identify values that could be used for:
2.1. HTML injection
2.2. JavaScript execution
2.3. XML/entity-related attacks
2.4. malformed markup
2.5. UI/log/report injection
- Build adversarial OCMF examples that try to hide as many distinct JavaScript execution vectors as possible inside one OCMF payload.
- Build the same or similar examples embedded in SAFE XML Containers.
- When rendered by the application, the payload should try to inject a visible test message.
- The injected message should include a counter showing how many payload locations were successfully executed or rendered unsafely.
- Add these samples to the security/regression test suite.
- Ensure that all affected UI views, import paths, validation errors, logs, reports, and export formats safely escape or reject dangerous content.
Expected Result
The application must treat all OCMF and SAFE XML Container content as untrusted input. No JavaScript must execute, no unsafe HTML must be rendered, and injected markup must be displayed only as inert text or rejected during validation.
Analyze the OCMF format and the SAFE XML Container format for fields, parameters, and values that may be unsafe when rendered in UI components, logs, error messages, reports, HTML exports, PDFs, or debug views. The focus is on XSS and similar injection issues caused by insufficient escaping, unsafe HTML rendering, XML handling, or string interpolation.
TODOs
2.1. HTML injection
2.2. JavaScript execution
2.3. XML/entity-related attacks
2.4. malformed markup
2.5. UI/log/report injection
Expected Result
The application must treat all OCMF and SAFE XML Container content as untrusted input. No JavaScript must execute, no unsafe HTML must be rendered, and injected markup must be displayed only as inert text or rejected during validation.