how to prevent xss attacks in javascript

stackoverflow.com › questions › 12799539 › javascript-xss-prevention

Here is a general encode procedure:

var lt = /</g, 
    gt = />/g, 
    ap = /'/g, 
    ic = /"/g;
value = value.toString().replace(lt, "&lt;").replace(gt, "&gt;").replace(ap, "&#39;").replace(ic, "&#34;");

If your user doesn't submit anything to your server you don't even need the above. If the user submits and you are using the user input then the above should be safe. As long as the '<' and '>' are globally sanitized and the parenthesis also are you are good to go.

Answer from Konstantin Dinev on Stack Overflow

Mozilla

developer.mozilla.org › en-US › docs › Web › Security › Attacks › XSS

Cross-site scripting (XSS) - Security | MDN

In both cases, the general approach ... external input in your site's pages, there are two main defenses against XSS: Use output encoding and sanitization to prevent input from becoming executable....

Stack Overflow

stackoverflow.com › questions › 12799539 › javascript-xss-prevention

security - Javascript XSS Prevention - Stack Overflow

Top answer

1 of 4

13

Here is a general encode procedure:

var lt = /</g, 
    gt = />/g, 
    ap = /'/g, 
    ic = /"/g;
value = value.toString().replace(lt, "&lt;").replace(gt, "&gt;").replace(ap, "&#39;").replace(ic, "&#34;");

If your user doesn't submit anything to your server you don't even need the above. If the user submits and you are using the user input then the above should be safe. As long as the '<' and '>' are globally sanitized and the parenthesis also are you are good to go.

2 of 4

10

Considering https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

Here is an implementation of their recommendations :

function escapeOutput(toOutput){
    return toOutput.replace(/\&/g, '&amp;')
        .replace(/\</g, '&lt;')
        .replace(/\>/g, '&gt;')
        .replace(/\"/g, '&quot;')
        .replace(/\'/g, '&#x27;')
        .replace(/\//g, '&#x2F;');
}

Also make sure you use this function only when necessary or you might break some stuff.

But I suggest you to take a look at already made libraries for sanitizing output :

https://github.com/ecto/bleach

Discussions

[AskJS] How do you protect against XSS?

Generally headers within the HTML document which prevent scripts loading from any other domain other than itself. Ideally, you'd want these headers to exist on the server, say like an Apache or NGINX config file, but you can place them in the HTML document itself via the meta tag. The Content Security Policy is by far the latest and most strict of all security headers, as it's a catch-all against any outside domain assets including content from CDN's and Google Analytics. Furthermore, inline scripts will be blocked as well. You'll need to manage the exceptions one by one. I'd recommend a security header generator of some sort to make sure you're not blocking your own assets. Example meta tag: ``` ``` More on reddit.com

r/javascript

22

21

July 29, 2019

How exactly does Cross Site Scripting (XSS) work?

There are 3 basic types of XSS: reflected, stored and DOM based. Stored XSS is an attack on a site that allows user to submit and store HTML in some way (eg in a comment or user profile). If the input is not properly filtered, an attacker can embed malicious JavaScript in the HTML. Then anyone who visits the site and happens to bring up that user's comment will get the payload. Reflected XSS is when a site takes user input and embeds it in the page, but without storing it on the server. An example would be a multistep form that uses your answer to the first question to determine the next question, eg "what's your favourite food?" If the user answers "pizza", the form then asks "what's your favourite pizza?" But the user answers with , the form will ask "what's your favourite " if it doesn't correctly filter/validate the user input. It's "reflected" because the user's input is reflected back to them in the HTTP response from the server. But since this isn't stored on the server, the attacker would need to trick the user into opening a crafted URL with the malicious answer embedded in it. DOM XSS is similar, but the difference is that the HTTP response from the server doesn't change, it's only what happens on the client side that differs. This is where the site takes user input and uses it directly in JavaScript on the page. The user input never hits the server, so the server-side code can't filter/validate the input, instead the JavaScript itself must do it. Again, you would need to trick a user into opening a specially crafted URL to execute this attack. Aside from safely encoding/filtering/validating user input in code, the other way to prevent these attacks is by implementing a strict Content Security Policy on the web server that only allows scripts with the right nonce or hash to be executed. More on reddit.com

r/cybersecurity

13

86

August 21, 2024

Is this good enough to prevent XSS attacks?

Why try to reinvent the wheel when you can use packages like https://www.npmjs.com/package/sanitize-html More on reddit.com

r/webdev

4

3

July 23, 2021

XSS in modern web development

Most browsers support HTTP headers that can add more restrictions to prevent XSS... look into Content-Security-Policy, Referrer-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection More on reddit.com

r/webdev

27

84

January 22, 2018

Videos