Connect and xss vulnerability

With RStudio Connect as publishing platform with R 3.3.3, are there any anti-XSS packages to consider for use with R v3.3.3. Are there other potential solutions to the JQuery/XSS vulnerability.

Generally speaking, it's best not to discuss potential security vulnerabilities on open forums (especially with specific versions / product references) :grinning_face_with_smiling_eyes: (reason being that bad actors can use information like that to cause trouble).

If you think you have found a vulnerability in RStudio Connect, I would point you to our security disclosure recommendations: Product Security - RStudio

If you are wondering how to make sure your particular RStudio Connect installation is not vulnerable to security threats, I would recommend reading the relevant section of our admin guide:

https://docs.rstudio.com/connect/admin/security-and-auditing/#custom-headers

And potentially reaching out to your Customer Success representative or our support team (support@rstudio.com)

All of that said, RStudio Connect handles the browser's connection to an R process (through a Shiny app / etc.), so I would expect most XSS protection to go into and be configured within Connect. However, I know that Shiny loads jquery, so I would recommend using a recent version of Shiny / etc. (dev Shiny currently purports to work with R >= 3.0.2, so you should have some success there, although dependencies might vary - shiny/DESCRIPTION at 5c4175cd5fbeca303f80e81701c7ae585e69bd74 · rstudio/shiny · GitHub)

Similarly, I would recommend upgrading to a recent version of RStudio Connect, since we often address bugs, fix security vulnerabilities, and add features in each release. News for our releases are here: RStudio Connect: News

1 Like