XSS - are you sure you are protected?

#security #xss #javascript #owasp

As a developer, you probably have heard what XSS is and how to defend against it by escaping user input. You also probably might have heard that modern frontend frameworks like React or Angular are XSS safe (due to escaping). Still, though there are some XSS caveats worth remembering:

Imagine you have a form where the user adds an address to his page/Facebook/Instagram etc. You might have HTML code like:

<a href="https://brightinventions.pl/">User page</a>

When taking input from the user which later will be displayed in a href tag (or any other "new link" click tag-like frame) it is important to validate the protocol of the URL. User can simply add their page with javascript protocol and execute XSS.

<a href="javascript:alert('XSS!');">User page</a>

To conclude: to defend against XSS, besides escaping user input do validate the protocol of URL. Let me know if you have any other interesting thoughts when it comes to XSS!

JavaScript UI Libraries for Surveys and Forms

SurveyJS lets you build a JSON-based form management system that integrates with any backend, giving you full control over your data and no user limits. Includes support for custom question types, skip logic, integrated CCS editor, PDF export, real-time analytics & more.

Learn more