xss prevention techniques

  • Inside a script tag.
  • Inside a html comment.
  • Inside an attribute name.
  • In a tag name.
  • Inside a CSS style.
  • There are some parameters such as callback where any amount of escaping will not fix, for such parameters do not accept untrusted javascript code and run it.
JSON.parse(dataElement.textContent)
<a href="<%=encoder.encodeForHTMLAttribute(userURL)%>">link</a>
Use language based escaping such as HTML sanitizer and also DOM Purify or python bleach
element.innerHTML = "<%=Encoder.encodeForJS(Encoder.encodeForHTML(untrustedData))%>";element.outerHTML="<%=Encoder.encodeForJS(Encoder.encodeForHTML(untrustedData))%>";document.write("<%=Encoder.encodeForJS(Encoder.encodeForHTML((untrustedData))%>");document.writeIn("<%=Encoder.encodeForJS(Encoder.encodeForHTML((untrustedData))%>");

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
dl padmavathi

dl padmavathi

I go by Padma. I am a security enthusiast. This blog contains security related and some general stuff. E-mail:pduggire@gmu.edu