XSS Mitigations

Share on :

Mitigations (OWASP):

Sufficient (Server-side) input filtering:
- HTML Escape Before Inserting Untrusted Data into HTML Element Content:
  
  before putting data from user into an HTML page it must be first escaped using HTML entity encoding
  
  PHP:
```
htmlspecialchars(USER_INPUT)
```
  Python
```
import html
html.escape(USER_UNPUT)
```
- Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
  
  WIP
- JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values
  
  any user supplied data should be escaped before embedding it into JavaScript value
  
  PHP
```
json_encode(USER_INPUT)
```
  Python
```
import django.utils.html as html
html.escapejs(USER_INPUT)
```
Client-side Defenses:

in this section we will mention how to utilize the client side XSS defense mechanism
- Activating browser's defenses:
  
  sending the following header with value 1 will activate browser
  X-XSS-Protection: 1
- CSP
  
  Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware.