Introduction
As the ShortPoint engineering team, we take security very seriously. Our product enhances the features of the battle-tested rich text editor used in SharePoint, Office 365, SAP and other platforms. Nevertheless, that does not mean we should take everything for granted.
In this document we will go through each potential threat in SharePoint / Office 365 / SAP and how we have addressed those threats and increased the level of security at ShortPoint.
TABLE OF CONTENTS
- Introduction
- Full compliance with Microsoft Office 365, SharePoint and SAP Cloud Security principles and implementations
- Cross Site Scripting (XSS)
- Injecting JavaScript Data
- JavaScript Source Protection
Full compliance with Microsoft Office 365, SharePoint and SAP Cloud Security principles and implementations
After you download the package, you install ShortPoint directly into your environment. We do not have any access to your contents. ShortPoint is fully compliant with Microsoft Office 365, SharePoint and SAP Cloud Security principles and implementations.
Cross Site Scripting (XSS)
To make sure that the end user’s input through ShortPoint remains safe all the times, we have added a Filters Layer into the product. This layer depends on two of the most well-known XSS filtering libraries:
We have used a mix of those two modules (see the screenshot below) to fit our special needs in handling every aspect of user input in ShortPoint while not breaking important part of the end-user's page:
It is good to note that the Filters Layer is not tightly coupled with these modules. Updating any of the modules is just a matter of one click. Also, if we wanted for any reason to drop any module or replace them with a better alternative in the future, it can be easily done by updating only this layer.
Let’s dive into each potential XSS threat that can be found in the product and how we managed to address these threats to protect Office 365, SharePoint, SAP CP and other users as much as possible.
Non-Logged In Users
Since XSS attacks come from an invalidated user input, please note that all forms that require user input in ShortPoint / SAP can only be accessed when the user is actually authenticated and authorized.
ShortPoint Generator (SharePoint Only)
ShortPoint Generator page is used to allow users to define a content template once and be able to use this template in every page on a Site Collection where ShortPoint runs. This template may contain both HTML and ShortPoint Design Elements.
Since the template may contain HTML, it may also contain <script> references and JavaScript handlers (Onclick, Onmouseover etc.) which allows the end user to write a script that could be run in multiple pages.
Using the Filters Layer mentioned above, all ShortPoint generated content goes through the XSS-filtering mechanism, to make sure that all written code is clean and safe.
ShortPoint Theme Builder (SharePoint Only)
Similar to the Generator, all data entered through the Theme Builder page will also go through the XSS-filtering mechanism before storing.
SharePoint Lists Content (SharePoint Only)
Protecting both Theme Builder and Generator pages in ShortPoint does not yet mean that the end-user is safe. All user preferences created by these pages are stored in a repository (e.g., SharePoint lists). The end-user can go directly into these repositories and add whatever script code he/she wants. These scripts will end up being executed on the pages that have ShortPoint enabled.
To prevent this, the same XSS-filters that are applied to Theme Builder and Generator pages, were applied again before injecting any content from the ShortPoint repositories into the page.
Page Builder Text Fields Input
The Page Builder is the area in ShortPoint that contains the most text fields: each ShortPoint Design Element can be customized using a bunch of text fields. It is important to make sure that every field does not contain any potentially harmful code by the end user.
All Page Builder fields are being validated using the ShortPoint Filters Layer to make sure the entered data is safe and clean.
Page Builder Rich Text Editor
To enable end-users to write rich text content from the Page Builder dialog, we have carefully picked the Froala Editor - a highly flexible and secured rich text editor.
Froala editor has a strong defense mechanism against all types of the XSS attacks. It was tested by the world-renowned Ashar Javed.
Manually Writing ShortPoint HTML
All ShortPoint Design Elements before rendering will look similar to the following HTML template:
<div data-shortpoint=”ELEMENT_NAME: { OPTIONS }”></div>
Before, we used to parse the data inside data-shortpoint attribute using the eval method, allowing the end user to write harmful code inside such attribute as in the following example
<div data-shortpoint=”button: { title: ‘about us’, link: alert( 1 ) }”></div>
To prevent this (since all content of the data-shortpoint attribute should be raw data), the parsing mechanism has been changed to use the safe JSON.parse method instead of eval.
Explicitly Defined ShortPoint Code Attributes
After going through how ShortPoint works behind the scenes, and how that ShortPoint code get parsed into an actual JavaScript code, one may think that any attribute you put into the code will end up being parsed into the data-shortpoint attribute, but it is not the case here.
For example, let's take a look at the following ShortPoint code:
[button title=”hello world” onclick=”callSomething” onmouseover=”callAnother” /]
Once it is converted into a ShortPoint HTML template, it will look like this:
<div data-shortpoint=”’button’: { ‘title’: ‘about us’ }”></div>
As you can see, all extra attributes in ShortPoint code have been removed once converted into a ShortPoint HTML template. This is because for every ShortPoint Design Element we have a meta-data definition (see the screenshot below), that defines the exact attributes needed to be parsed.
Any extra attribute written into the ShortPoint code, that is not defined in the ShortPoint element meta-data, will not be parsed, and will be ignored.
Injecting JavaScript Data
All data passed from the ShortPoint repositories, was updated to be serialized using the safe JSON.stringify method to serialize the JavaScript object instead of regular string concatenation methods.
JavaScript Source Protection
Our JavaScript is not only being minified, we are also obfuscating it using Jscrambler.
Most products designed to protect JavaScript rarely go beyond simple regular expression transformations. Still, the Jscrambler is a JavaScript interpreter and parsing engine that creates an Abstract Syntax Tree representing the source code. Because Jscrambler understands JavaScript, it secures the HTML5 and JavaScript in a way that the protected code executes with the same functionality as the source.
This approach allows the product to be easily and affordably maintained, enabling it to evolve naturally and providing it with the ability to produce enterprise-class security and anti-debugging methods.