Cross-site scripting (XSS) is a type of attack in which a malicious agent manages to inject client-side JavaScript into your website, so that it runs in the trusted environment of your users' browsers.
Protecting against XSS attacks
The cleanest way to prevent XSS attacks is to escape untrusted data at the point of injection. That means at the point where it's actually being injected into the HTML.
When exposing view locals to client-side JavaScript...
#
Use the exposeLocalsToBrowser partial to safely expose some or all of your view locals to client-side JavaScript:
On the client
#
A lot of XSS prevention is about what you do in your client-side code. Here are a few examples:
When injecting data into a client-side JST template...
#
Use <%- %> to HTML-encode data:
<div data-template-id="welcome-box">
<h3 is="welcome-msg">Hello <%- me.username %>!</h3>
</div>
When modifying the DOM with client-side JavaScript...
#
Use something like $(...).text() to HTML-encode data:
var $welcomeMsg = $('#signup').find('[is="welcome-msg"]');
welcomeMsg.text('Hello, '+window.SAILS_LOCALS.me.username+'!');
// Avoid using `$(...).html()` to inject untrusted data.
// Even if you know an XSS is not possible under particular circumstances,
// accidental escaping issues can cause really, really annoying client-side bugs.
references:
https://sailsjs.com/documentation/concepts/security/xss
No comments:
Post a Comment