Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Javascript XSS Prevention

There is a Node.js project that sanitizes data and there is an OWASP library for JavaScript that handles sanitization to prevent XSS.

I have been benchmarking these libraries, and they are pretty intensive and maybe an overkill, my application does not need any dynamic HTML (submitted by users, bbtags or what ever, not required at all) so why not do it like this:

  1. Disable "<" and ">" characters, don't replace them or anything, just disable them, if the user submits these, give them a warning that these are disabled (client- and server-side validation)
  2. & => &amp;
  3. " => &quot;
  4. ' => &#x27;
  5. / => /
  6. Encode submitted URLs (GET parameters etc.)
  7. DOM based XSS is covered since my application uses HTML5 PushState and the backend is fully separated from the frontend.

Would this be enough to protect myself, as I said, my application does not require any HTML submitted by users, so I don't need the < and > tags at all.

Thanks for all the feedback, this is what I use right now:

var pattern = /<(.*)>/;

function hasHtmlTags(string) {
    return pattern.test(string);
};

if (hasHtmlTags(userData)) {
    // Do something?
} else {
    // Create entity.
}

So users can still use their emoticons :< and such, and the function only gets triggered if a combination of < and > is found. So no expensive regular expressions and such, just disable < and > in combination and we should be fine.

like image 295
onlineracoon Avatar asked Oct 09 '12 11:10

onlineracoon


People also ask

Is JavaScript vulnerable to XSS?

In a Cross-site Scripting attack (XSS), the attacker uses your vulnerable web page to deliver malicious JavaScript to your user. The user's browser executes this malicious JavaScript on the user's computer. Note that about one in three websites is vulnerable to Cross-site scripting.

Does disabling JavaScript prevent XSS?

However, for security sensitive environments, disabling JavaScript is a safe precaution to protect against malicious attacks such as cross-site scripting.

Does jquery prevent XSS?

The Editor itself cannot protect you from XSS attacks because malicious users can manually edit form fields and post forged requests to the server. To protect your users from these attacks, clean the posted content on the server through an HTML parsing and a whitelist of allowed tags.

Is JavaScript the only way to perform XSS attacks?

However, Javascript and HTML are mostly used to perform this attack. This attack can be performed in different ways. Depending upon the type of XSS attack, the malicious script may be reflected on the victim's browser or stored in the database and executed every time, when the user calls the appropriate function.


1 Answers

Here is a general encode procedure:

var lt = /</g, 
    gt = />/g, 
    ap = /'/g, 
    ic = /"/g;
value = value.toString().replace(lt, "&lt;").replace(gt, "&gt;").replace(ap, "&#39;").replace(ic, "&#34;");

If your user doesn't submit anything to your server you don't even need the above. If the user submits and you are using the user input then the above should be safe. As long as the '<' and '>' are globally sanitized and the parenthesis also are you are good to go.

like image 178
Konstantin Dinev Avatar answered Sep 21 '22 16:09

Konstantin Dinev