Avoiding XSS vulnerabilities - whitelist?

Question

What are the best practices to prevent XSS vulnerabilities?

A lot of people on here have mentioned whitelists which sounds like a good idea, but I see many people define the whitelist using a RegEx. This seems inherently flawed because it depends on many factors, the least of which is the RegEx implementation and the skill of the person writing the expression not to make a mistake. Consequently a lot of XSS attacks succeed because they use techniques to make the regex accept them.

What are the best (though maybe more labor intensive than regex whitelist) ways to avoid these vulnerabilities/sanitize user input? Is it even theoretically possible to fully sanitize user input?

Answer 1

Have a look at AntiXSS library.

Answer 2

The best way to filter XSS depends on what platform you are developing for. Regular Expressions can be useful in preventing many types of vulnerabilities, but its not always the best. The best way to prevent XSS in PHP is to use htmlspeicalchars(); For instance:

Reflective XSS:

print $_GET['xss'];

Patched:

print htmlspecialchars($_GET['xss'],ENT_QUOTES);

To test this we can try and execute some JavaScript http://127.0.0.1/xss.php?xss=alert(/xss/) Under the first example we will get a popup saying /xss/. On the patched example it will display an html safe version of the string: <script>alert(/xss/)</script>

The real problem is greater than < and less than > symbols, if these are replaced with < and > respectivly then you are safe from XSS.

Answer 3

Michael's answer is okay but it will block safe HTML as well as dangerous inputs. This means that any input which contains HTML formatting such as <em> will be displayed with the actual HTML code.

If you want to accept safe HTML but block/filter dangerous inputs, then use a tested, proven 3rd party XSS filtering library like HTMLPurifier: http://htmlpurifier.org/

Don't reinvent the wheel, especially when it comes to security. And especially don't use regex for an XSS whitelist.