ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5696/common/pitfalls/limits-of-validation.adoc
Egon Okerman d34e1f86dd Modify rule S5696: Change text to progressive education format (APPSEC-423) (#1529) 
* Move metadata

* Move message

* Add text

* Clarify text

* Reword method to property in context of innerHTML
2023-03-02 19:03:03 +01:00

8 lines
712 B
Plaintext
Raw Blame History

==== The limits of validation
Validation of user inputs is a good practice to protect against various injection attacks. But for XSS, validation on its own is not the recommended approach.
For example, filtering out user inputs based on a denylist will never fully prevent XSS vulnerabilities from being exploited. This practice is sometimes used by web application firewalls. Time and time again, malicious users are able to find the exploitation payload that will defeat the filters of these firewalls.
Another common approach is to parse HTML and strip sensitive HTML tags. Again, this denylist approach is vulnerable by design: maintaining a list of sensitive HTML tags is very difficult in the long run.
Reference in New Issue View Git Blame Copy Permalink