Sanitize Input for Reflected/Stored XSS
Thereâs a reason why XSS vulnerabilities are so common in the wild: theyâre difficult to get rid of. Sanitizing sounds simple in principle, but escaping and disallowing characters can get complicated quickly. Letâs look at various rules from the OWASP XSS Prevention Cheat Sheet,[68] which you should keep in mind when building your site.
But first, a small test: in the following code example thereâs an HTML documentâactually, an Embedded JavaScript[69] (EJS) template. Do you know where you could in theory put unsafe content and where you should never put unsafe content?
| â | â<!DOCTYPE html>â |
| â | <html> |
| â | <head lang=â"en"â> |
| â | <meta charset=â"UTF-8"â> |
| â ... |
Get Secure Your Node.js Web Application now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
