Cross Site Scripting basically is a security vulnerability of dynamic web pages where an attacker can create a malicious link to inject unwanted executable JavaScript into a Web site. The most usual case of this vulnerabilities occurs when GET variables are printed or echoed without filtering or checking their content. When a victim clicks the … Read more
The dot.net core community has a wiki on this. You can inject encoders at a controller level (in the constructor) or reference System.Text.Encodings.Web. More info can be seen here: https://learn.microsoft.com/en-us/aspnet/core/security/cross-site-scripting
To prevent from XSS attacks, you just have to check and validate properly all user inputted data that you plan on using and dont allow html or javascript code to be inserted from that form. Or you can you Use htmlspecialchars() to convert HTML characters into HTML entities. So characters like <> that mark the … Read more
Indeed just let the server output it so that the input string effectively get embedded in HTML source which get returned to the client. PHP example: <!doctype html> <html lang=”en”> <head><title>XSS test</title></head> <body> <form><input type=”text” name=”xss”><input type=”submit”></form> <p>Result: <?= $_GET[‘xss’] ?></p> </body> </html> JSP example: <!doctype html> <html lang=”en”> <head><title>XSS test</title></head> <body> <form><input type=”text” name=”xss”><input … Read more
Implementing it yourself is not too difficult. Generate a GUID Put it in a hidden field Also put it in Session or Cookie (in the latter case, with some anti-tamper protection) At the start of processing the form compare the field and stored token. (If you look at the implementation of MVC, there is very … Read more
In addition to what has been written already: Precisely because you have a variety of output formats, and you cannot guarantee that all of them will need HTML escaping. If you are serving data over a JSON API, you have no idea whether the client needs it for a HTML page or a text output … Read more
This does not work due to click-jacking vulnerability. Example: <a href=”http://example.com/attack.html” style=”display: block; z-index: 100000; opacity: 0.5; position: fixed; top: 0px; left: 0; width: 1000000px; height: 100000px; background-color: red;”> </a> Found at: http://www.bioinformatics.org/phplabware/forum/viewtopic.php?id=164 The code would be perfectly validated but it may cause serious damage. So – rule of thumb use very strict white list … Read more
Here is a snippet that will remove all tags not on the white list, and all tag attributes not on the attribues whitelist (so you can’t use onclick). It is a modified version of http://www.djangosnippets.org/snippets/205/, with the regex on the attribute values to prevent people from using href=”https://stackoverflow.com/questions/16861/javascript:…”, and other cases described at http://ha.ckers.org/xss.html. (e.g. … Read more
Struts2 <s:property value=”name” /> is automatically escaped by default; JSTL <c:out value=”${name}” /> is automatically escaped by default; JSP EL ${name} is NOT escaped. You can explicitly escape it with ${fn:escapeXml(name)} , or set the escape to be performed by default creating a custom ELResolver as described in this great article: ELResolver Escapes JSP EL … Read more
Contrary to what is being said in the accepted answer, jQuery.html() and the many jQuery functions which accept HTML strings as arguments are more prone to DOM-based XSS injection than innerHTML, as noticed by the OP. jQuery.html() extracts the <script> tags, updates the DOM and evaluates the code embedded in the script tags. As a … Read more