Sanitize Input for DOM XSS

DOM-based XSS is a different beast altogether, and it deserves its own section and rules. To get a thorough overview of DOM XSS and sanitizing rules, consult the OWASP DOM-based XSS Prevention Cheat Sheet.[76] Also, if you skipped the previous section on various sanitizing rules, then go back. You need to know how to deal with first-order XSS attacks to understand how to deal with DOM XSS.

If you’re using a lot of DOM manipulation in your application, it’s prone to DOM XSS. I recommend using a JavaScript validation library designed for context-specific validations, such as the ESAPI JavaScript library[77] from OWASP.

Treat DOM-based XSS sanitizing as a two-step challenge. First, you get the data into a JavaScript ...

Get Secure Your Node.js Web Application now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.