Is String.stipTags() enough to mitigate XSS attacks?

Question

I am creating this UTF-8 encoded HTML page where the user can provide input. I wanted to make this XSS proof. I came across this free Javascript framework called Prototype which provides some useful functions. One particular function stripTags essentially strips all tags from the input string. Would the following input processing prevent XSS?

1. Perform a thorough UTF-8 decoding of the input(considering all possible UTF-8 representations)
2. Convert HTML character entities to chars
3. Run stripTags over the decoded,converted string to remove all possible tags

One of the common comments to antiXSS attempts in Javascript is that the user can bypass the system. How is this possible? In my case, the user using the system is trustworthy. However, other users who may have used the same machine earlier could be malicious.

Answer 1

You only need to change:

• & to &
• < to <
• " to " (if you use single quotes in attributes, also ' to ')

If you've already escaped special HTML characters, then there are no tags in there and strip tags doesn't do anything.

If you use strip tags instead of escaping, then foreign input will be able to escape HTML attributes, e.g.:

<input value="$foo">

if $foo is:

" src="404" onerror="evil()

And if you want to insert untrusted content in JavaScript (inside <script>), then other rules apply:

• HTML entities not interpreted in <script>, so don't use them there for escaping.
• Use JavaScript string escaping rules (\ → \\, " → \") and replace all occurances of </ with <\/.

Answer 2

If the javascript framework is run on the machine where the input is provided, then this is not secure (You would be trusting content from a potentially malicious client.

In cases where you are running it on the client machine just prior to displaying data, it would depend on what other vulnerabilities are in your code.

A good rule of thumb is that security constraints are typically applied on the server side, where a user can't simply go around them. From what I remember, PHP has a strip tags function for this, and there is similar functionality in Apaches StringEscapeUtils for java. I am sure there is something similar in .net