10 lines
963 B
Plaintext
10 lines
963 B
Plaintext
|
==== The limits of validation
|
||
|
|
|
||
|
|
Validation of user inputs is a good practice to protect against various injection attacks. But for XSS, validation on its own is not the recommended approach.
|
||
|
|
|
||
|
|
As an example, filtering out user inputs based on a deny-list will never fully prevent XSS vulnerability from being exploited. This practice is sometimes used by web application firewalls. It's only a matter of time for malicious users to find the exploitation payload that will defeat the filters.
|
||
|
|
|
||
|
|
Another example is applications that allow users or third-party services to send HTML content to be used by the application. A common approach is trying to parse HTML and strip sensitive HTML tags. Again, this deny-list approach is vulnerable by design: maintaining a list of sensitive HTML tags, in the long run, is very difficult.
|
||
|
|
|
||
|
|
A preferred option is to use Markdown in conjunction with a parser that removes embedded HTML and restricts the use of "javascript:" URI.
|