O'Reilly logo

Secure Your Node.js Web Application by Karl Duuna

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Sanitize Input for Reflected/Stored XSS

There’s a reason why XSS vulnerabilities are so common in the wild: they’re difficult to get rid of. Sanitizing sounds simple in principle, but escaping and disallowing characters can get complicated quickly. Let’s look at various rules from the OWASP XSS Prevention Cheat Sheet,[68] which you should keep in mind when building your site.

But first, a small test: in the following code example there’s an HTML document—actually, an Embedded JavaScript[69] (EJS) template. Do you know where you could in theory put unsafe content and where you should never put unsafe content?

 <!DOCTYPE html>
 <html>
 <head lang=​"en"​>
  <meta charset=​"UTF-8"​>
  <title>My XSS</title>
 <!--<%- 1 %>--> ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required