Sanitize Input for Reflected/Stored XSS

There’s a reason why XSS vulnerabilities are so common in the wild: they’re difficult to get rid of. Sanitizing sounds simple in principle, but escaping and disallowing characters can get complicated quickly. Let’s look at various rules from the OWASP XSS Prevention Cheat Sheet,[68] which you should keep in mind when building your site.

But first, a small test: in the following code example there’s an HTML document—actually, an Embedded JavaScript[69] (EJS) template. Do you know where you could in theory put unsafe content and where you should never put unsafe content?

 <!DOCTYPE html>
 <head lang=​"en"​>
  <meta charset=​"UTF-8"​>
  <title>My XSS</title>
 <!--<%- 1 %>--> ...

Get Secure Your Node.js Web Application now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.