Cross-Site Scripting (XSS)

Overview

Cross-site scripting (XSS) is a vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. Cross-site scripting works by manipulating a vulnerable website so that it returns malicious JavaScript to users. When malicious code executes inside a victim's browser, an attacker can fully compromise their interaction with the application.

You can find more details at PortSwigger Web Security Academy: Cross-site scripting.

This page contains recommendations for the implementation of protection against Cross-Site Scripting (XSS) attacks.

General

Make sure all variables go through input validation and are then escaped or sanitized.
Implement input validation, see the Input Validation page.
Implement output encoding, see the Output Encoding page.
Implement HTML sanitization, see DOMPurify.
Comply with requirements from the Cookie Security page.
Enforce strict Content Security Policy, see the Content Security Policy (CSP) page.

Use stable versions of modern JavaScript frameworks such as Angular, Vue or React and their protection mechanisms.

References

OWASP Cheat Sheet Series: Cross Site Scripting Prevention Cheat Sheet

PreviousCross-Site Request Forgery (CSRF)NextMass Parameter Assignment

Last updated 11 months ago