XSS Mitigations

Share on :

Mitigations (OWASP):

  1. Sufficient (Server-side) input filtering:

    • HTML Escape Before Inserting Untrusted Data into HTML Element Content:

      before putting data from user into an HTML page it must be first escaped using HTML entity encoding

      PHP:

      htmlspecialchars(USER_INPUT)

      Python

      import html
      html.escape(USER_UNPUT)
    • Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes

      WIP

    • JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values

      any user supplied data should be escaped before embedding it into JavaScript value

      PHP

      json_encode(USER_INPUT)

      Python

      import django.utils.html as html
      html.escapejs(USER_INPUT)
  2. Client-side Defenses:

    in this section we will mention how to utilize the client side XSS defense mechanism

    • Activating browser's defenses:

      sending the following header with value 1 will activate browser
      X-XSS-Protection: 1

    • CSP

      Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware.