The site Mustache-Security describes XSS vulnerabilities in KnockoutJS... The vulnerabilities come from the use of eval (or some equivalent) to convert text in the data-bind attribute to executable script. Most of the examples show attacks where malicious script could be executed if it is injected into a data-bind attribute.
Example (HTML/JavaScript/KnockoutJS):
<script src="http://knockoutjs.com/downloads/knockout-3.0.0.debug.js"></script>
<div data-bind="click: alert(1)"></div>
<div data-bind="value: alert(2)"></div>
<div data-bind="style: alert(3)"></div>
...
<select data-bind="options: alert(99)"></select>
<script>
ko.applyBindings();
</script>
While I can reproduce the examples as they are defined, I normally avoid putting JavaScript in data-bind attributes when using KnockoutJS. I prefer to reference an observable property on a JavaScript object to separate the view's behavior from its layout. Using this approach, I find that the JavaScript is not executable.
Example (HTML/JavaScript/KnockoutJS):
<script src="http://knockoutjs.com/downloads/knockout-3.0.0.debug.js"></script>
<div data-bind="value: firstName"></div>
<script>
var ViewModel = function() {
this.firstName = ko.observable('alert(2)');
}
var vm = new ViewModel();
ko.applyBindings(vm);
</script>
Is my application at risk of XSS solely because I have used KnockoutJS, or do I also have to find a way to put untrusted input into a data-bind attribute, using server side code?
Example (ASP.NET/HTML/JavaScript/KnockoutJS):
<div data-bind="value: <%=Request.QueryString("id")%>"></div>
I would think that if an attacker could inject their script in the page using JavaScript, then they can just as easily manipulate the DOM directly and KnockoutJS doesn't increase my risk of XSS.
Is there something else I'm missing? What else must I do to prevent the XSS vulnerabilities that the author describes?