Avoid XSS and allow some html tags with JavaScript

javascript jquery xss
13,747

Solution 1

In order to prevent Application from XSS attacks I usually use following rules:

  1. Determine the level of security for your application.
    There are several tools that can protect your application as for me better security is provided by OWASP tools: ESAPI or AntySami.
    Note:Using Sanitization does not guarantee filtering of all malicious code, so tools can be more or less secure.

  2. Understand whether you need to perform sanitization on client, server or both sides. In most cases it's enough to do this on server side.

  3. Understand whether you need to preserve html tags (and what tags you need to preserve) or not. As it was stated previously not allowing html tags is more secure solution.

Based on this you can find a proper decision.
1. Personally for server code sanitization I used jSoup. As for me it's pretty good tool to do this.
Usually In order to check input vulnerability I am using following vector:

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  1. In case you need prevent XSS on client side you can use following tools:
    a) JSSANItazer seems a bit outdated
    b) Dust - maintained by twitter;

These tools easily can allow you to sanitize your input and mainly is answer for your question.

Server side tools mentioned above.

Regarding 3rd point. In case you don't need to handle html tags you can easily use ESAPI on server side and ESAPI4JS on client side. As I understand it doesn't work for you.

When I read your task I understood that you are storing email message therefore In your case it's required to sanitize input on server side (using one of tools) and it's as per you to add it or not on client side. You need only decide whether add another sanitization on UI side or render your "preview page" on server.

Solution 2

You can ofcourse allways switch to using BB code, use the same parser for the preview as the form, and then parse the ubb code server side when sending.

See this article if you like to parse the BB code client side for the preview and this for parsing the BB code server-side, assuming you send mails using PHP.

Solution 3

Best way to avoid most of the XSS attacks is:

These two together will make your site pretty robust

Share:
13,747

Related videos on Youtube

VladJS
Author by

VladJS

Updated on June 04, 2022

Comments

  • VladJS
    VladJS almost 2 years

    I've got a problem in my current project: Users can send an email using a textarea. We allow the user to put in whatever they want, and thus some HTML for formatting. For example, the user should be allowed to use the <b> tag for bold text.

    After completing their email, the user should be able to view a preview of their email dynamically.

    There is a slight problem though, how can I avoid XSS hacks when the preview is being displayed?

    You can ofcourse strip them using underscore.js, but that wouldn't format their preview.

    So I have forbidden all HTML tags for now, and only allowed tags like <hr>, <b>, etc.

    What do you think about this solution? Is it secure enough?

    • Yuriy Galanter
      Yuriy Galanter over 10 years
      Did you pay attention to the Stack Overflow question entry form when you were entering this question? Does this remind you of something?
    • dandavis
      dandavis over 10 years
      you don't need to worry about XSS during the preview. at all. firebug is a much easier way to hijack your own browser... also, your js (or any client-side js for that matter) does nothing to prevent the submitting of xss attack to other users.
  • avgvstvs
    avgvstvs almost 9 years
    Don't use Jsoup for this purpose!!!!! Its design is explicitly to repair invalid HTML, and most XSS attacks start out as invalid HTML. You want to use something like Jericho which will non-destructively capture the incoming html doc and allow you to appropriately send it to the next layer of validation.
  • Quentin
    Quentin almost 8 years
    The question is tagged JavaScript, this is Java which is a completely different language.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to fix XSS vulnerabilities on javascript?
html() vs innerHTML jquery/javascript & XSS attacks
Access to restricted URI denied code: 1012
Is it possible to XSS exploit JSON responses with proper JavaScript string escaping?
Is jQuery .text() method XSS safe?
Synchronous cross sub-domain POST request with jQuery
while clicking local push notification how to navigate and reload a page in flutter
Write elements to textarea using jQuery
JQuery data table with multiple header rows and fixed column
how to add style in table which is dynamically created