Is there a Javascript equivalent of libraries like HTMLPurifier, which remove XSS code from strings?
views:
95answers:
2
+7
A:
Generally speaking, by the time Javascript code is running, it's too late to protect yourself against an XSS attack. You need to protect against it at the server, not the client.
bdonlan
2009-05-19 18:01:19
This isn't strictly true: there could be a case where an ajax app accepts input from a textarea and injects content into the DOM, in which case you'd definitely want to sanitize it.
Jed Schmidt
2009-05-19 18:10:18
That's a good rule of thumb to have the server analyze every user input strictly to ensure attacks are prevented at a deep level.
Jan Gressmann
2009-05-19 18:21:23
@Jed, what is the attack vector there, other then the user attacking herself. I don't really see a security issue with that.
Ben Schwehn
2009-05-19 18:55:29
Ok, I guess preventing accidental script/tag injection could be a good thing there.
Ben Schwehn
2009-05-19 19:00:38
@Jed, this can be avoided by adding text nodes instead of manipulating innerHTML
bdonlan
2009-05-19 20:23:33
Suppose I am getting a JSON response back from my server, and the part of this response which I am adding to the HTML page, is part of a stringFor ex: {data: "this needs to be added to html and can be unsafe"}Then also am I subject to what you are saying. Can't I run the HTML purifier(JS version) on the above string.
akshat
2009-05-21 08:55:14