There is a Node.js project that sanitizes data and there is an OWASP library for JavaScript that handles sanitization to prevent XSS.
I have been benchmarking these libraries, and they are pretty intensive and maybe an overkill, my application does not need any dynamic HTML (submitted by users, bbtags or what ever, not required at all) so why not do it like this:
<
" and ">
" characters, don't replace them or anything, just disable them, if the user submits these, give them a warning that these are disabled (client- and server-side validation)&
=> &
"
=> "
'
=> '
/
=> /
Would this be enough to protect myself, as I said, my application does not require any HTML submitted by users, so I don't need the <
and >
tags at all.
Thanks for all the feedback, this is what I use right now:
var pattern = /<(.*)>/;
function hasHtmlTags(string) {
return pattern.test(string);
};
if (hasHtmlTags(userData)) {
// Do something?
} else {
// Create entity.
}
So users can still use their emoticons :< and such, and the function only gets triggered if a combination of < and > is found. So no expensive regular expressions and such, just disable < and > in combination and we should be fine.
In a Cross-site Scripting attack (XSS), the attacker uses your vulnerable web page to deliver malicious JavaScript to your user. The user's browser executes this malicious JavaScript on the user's computer. Note that about one in three websites is vulnerable to Cross-site scripting.
However, for security sensitive environments, disabling JavaScript is a safe precaution to protect against malicious attacks such as cross-site scripting.
The Editor itself cannot protect you from XSS attacks because malicious users can manually edit form fields and post forged requests to the server. To protect your users from these attacks, clean the posted content on the server through an HTML parsing and a whitelist of allowed tags.
However, Javascript and HTML are mostly used to perform this attack. This attack can be performed in different ways. Depending upon the type of XSS attack, the malicious script may be reflected on the victim's browser or stored in the database and executed every time, when the user calls the appropriate function.
Here is a general encode procedure:
var lt = /</g,
gt = />/g,
ap = /'/g,
ic = /"/g;
value = value.toString().replace(lt, "<").replace(gt, ">").replace(ap, "'").replace(ic, """);
If your user doesn't submit anything to your server you don't even need the above. If the user submits and you are using the user input then the above should be safe. As long as the '<' and '>' are globally sanitized and the parenthesis also are you are good to go.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With