ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5696/common/fix/sanitization.adoc
Egon Okerman d34e1f86dd Modify rule S5696: Change text to progressive education format (APPSEC-423) (#1529) 
* Move metadata

* Move message

* Add text

* Clarify text

* Reword method to property in context of innerHTML
2023-03-02 19:03:03 +01:00

8 lines
991 B
Plaintext
Raw Blame History

==== Sanitization of user-supplied data
By systematically encoding data that is written to the DOM, it is possible to prevent XSS attacks. In this case, the goal is to leave the data intact from the end user's point of view but make it uninterpretable by web browsers.
However, selecting an encoding that is guaranteed to be safe can be a complex task. XSS exploitation techniques vary depending on the HTML context where malicious input is injected. As a result, a combination of HTML encoding, URL encoding and JavaScript escaping may be required, depending on the context. https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html[OWASP's DOM-based XSS Prevention Cheat Sheet] goes into more detail about the required sanitization.
Though browsers do not yet provide any direct API to do this sanitization, the https://github.com/cure53/DOMPurify[DOMPurify library] offers extensive functionality to prevent XSS and has been tested by a large user base.
Reference in New Issue View Git Blame Copy Permalink