👨‍💻
Application Security Handbook
  • Application Security Handbook
  • Web Application
    • Authentication
      • Authentication with Login and Password
      • Authentication with Phone Number
      • OAuth 2.0 Authentication
      • Multi-factor Authentication
      • Default Passwords
      • Password Change
      • Password Policy
      • Password Reset
      • Password Storage
      • One Time Password (OTP)
      • Email Address Confirmation
    • Authorization
    • Concept of Trusted Devices
    • Content Security Policy (CSP)
    • Cookie Security
    • Cryptography
      • Cryptographic Keys Management
      • Encryption
      • Hash-based Message Authentication Code (HMAC)
      • Hashing
      • Random Generators
      • Universal Unique Identifier (UUID)
    • Error and Exception Handling
    • File Upload
    • Input Validation
    • JSON Web Token (JWT)
    • Logging and Monitoring
    • Output Encoding
    • Regular Expressions
    • Sensitive Data Management
    • Session Management
    • Transport Layer Protection
    • Vulnerability Mitigation
      • Brute-force
      • Command Injection
      • Cross-Site Request Forgery (CSRF)
      • Cross-Site Scripting (XSS)
      • Mass Parameter Assignment
      • Parameter Pollution
      • Path Traversal
      • Regular Expression Denial of Service (ReDoS)
      • SQL Injection (SQLi)
      • XML External Entity (XXE) Injection
Powered by GitBook
On this page
  • Overview
  • General
  • References
  1. Web Application
  2. Vulnerability Mitigation

Cross-Site Scripting (XSS)

PreviousCross-Site Request Forgery (CSRF)NextMass Parameter Assignment

Last updated 1 year ago

Overview

Cross-site scripting (XSS) is a vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. Cross-site scripting works by manipulating a vulnerable website so that it returns malicious JavaScript to users. When malicious code executes inside a victim's browser, an attacker can fully compromise their interaction with the application.

You can find more details at .

This page contains recommendations for the implementation of protection against Cross-Site Scripting (XSS) attacks.

General

  • Make sure all variables go through input validation and are then escaped or sanitized.

  • Use stable versions of modern JavaScript frameworks such as Angular, Vue or React and their protection mechanisms.

References

Implement input validation, see the page.

Implement output encoding, see the page.

Implement HTML sanitization, see .

Comply with requirements from the page.

Enforce strict Content Security Policy, see the page.

Input Validation
Output Encoding
DOMPurify
Cookie Security
Content Security Policy (CSP)
OWASP Cheat Sheet Series: Cross Site Scripting Prevention Cheat Sheet
PortSwigger Web Security Academy: Cross-site scripting