Skip to content

Adversarial OCMF with/without SAFE XML Container #10

Description

@ahzf

Analyze the OCMF format and the SAFE XML Container format for fields, parameters, and values that may be unsafe when rendered in UI components, logs, error messages, reports, HTML exports, PDFs, or debug views. The focus is on XSS and similar injection issues caused by insufficient escaping, unsafe HTML rendering, XML handling, or string interpolation.

TODOs

  1. Review all OCMF fields and SAFE XML Container elements/attributes that may contain user-controlled or externally supplied text.
  2. Identify values that could be used for:
    2.1. HTML injection
    2.2. JavaScript execution
    2.3. XML/entity-related attacks
    2.4. malformed markup
    2.5. UI/log/report injection
  3. Build adversarial OCMF examples that try to hide as many distinct JavaScript execution vectors as possible inside one OCMF payload.
  4. Build the same or similar examples embedded in SAFE XML Containers.
  5. When rendered by the application, the payload should try to inject a visible test message.
  6. The injected message should include a counter showing how many payload locations were successfully executed or rendered unsafely.
  7. Add these samples to the security/regression test suite.
  8. Ensure that all affected UI views, import paths, validation errors, logs, reports, and export formats safely escape or reject dangerous content.

Expected Result

The application must treat all OCMF and SAFE XML Container content as untrusted input. No JavaScript must execute, no unsafe HTML must be rendered, and injected markup must be displayed only as inert text or rejected during validation.

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions