Talk:DOM based XSS Prevention Cheat Sheet

De OWASP
Saltar a: navegación, buscar

ideas from Ryan

FYI – have you see our updated XSS Defense Demo? http://www.modsecurity.org/demo/demo-deny-noescape.html. We are able to dynamically inject eith MentalJS (Gareth Heyes' JS Sandbox), or DOMPurify (Mario's JS/DOM sanitizer). This is pretty bad-ass as a methof or WAFs to help prevent XSS attack surface :) You might want to update your OWASP Top 10 Controls content to mention it during either the XSS or Virtual Patching sections.


current markup

var x = document.createElement("a");
x.href="#”;
x.setAttribute("onclick", "\u0061\u006c\u0065\u0072\u0074\u0028\u0032\u0032\u0029");
var y = document.createTextNode("Click To Test");
x.appendChild(y);
document.body.appendChild(x);

... some text ...

for ( var \u0062=0; \u0062 < 10; \u0062++){
\u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074
.\u0077\u0072\u0069\u0074\u0065\u006c\u006e
("\u0048\u0065\u006c\u006c\u006f\u0020\u0057\u006f\u0072\u006c\u0064");
}
\u0077\u0069\u006e\u0064\u006f\u0077
.\u0065\u0076\u0061\u006c (
\u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074
.\u0077\u0072\u0069\u0074\u0065(111111111));


suggested markup

var x = document.createElement("a");
x.href="#”;
x.setAttribute("onclick", "\u0061\u006c\u0065\u0072\u0074\u0028\u0032\u0032\u0029");
var y = document.createTextNode("Click To Test");
x.appendChild(y);
document.body.appendChild(x);


... some text ...

for ( var \u0062=0; \u0062 < 10; \u0062++){
   \u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074                    
   .\u0077\u0072\u0069\u0074\u0065\u006c\u006e
   ("\u0048\u0065\u006c\u006c\u006f\u0020\u0057\u006f\u0072\u006c\u0064");
}
\u0077\u0069\u006e\u0064\u006f\u0077
.\u0065\u0076\u0061\u006c (
\u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074
.\u0077\u0072\u0069\u0074\u0065(111111111));