Can someone clarify something for me on the Mitigate the Risk of Cross Site Scripting (XSS) Attacks with helmet.xssFilter() challenge?

Tell us what’s happening:
The information in the challenge page talks about Sanitising the input to prevent XSS by setting a http header.

However, in the Helmet Docs and in this Issue , the helmet.xssFilter() method is actually described to set this Header to 0 to prevent bugs, disabling the default Sanitation.

Out of curiosity, when this challenge was created, did the middleware (older helmet version) originally set this header to enable the Sanitisation, since that is what the Challenge Description suggests.

Your code so far


Your browser information:

User Agent is: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36.

Challenge: Mitigate the Risk of Cross Site Scripting (XSS) Attacks with helmet.xssFilter()

Link to the challenge:

Hello there,

Thank you, for pointing this out. I have moved this over to the #contributors sub-forum, as I believe this should be discussed to be changed (before we open a GitHub issue).

This lesson, whilst not being too specific with details on browsers, or Helmet’s implementation, is still relevant. However, it does miss the point that since version 4 of Helmetjs, the xssFilter middleware disables the browser filtering (if it exists - IE and Safari).

So, if someone more versed in this topic could confirm the accuracy of the lesson content, then we can open a GitHub issue.

1 Like

Thanks @Sky020 . Do you know if there is a way to look at Docs for older versions of npm packages?

I do not think so. I believe it is up to the package developers whether this is possible. I know Mongoosejs do have the ability to view older docs, but majority of the time, you will need to hope the changelogs are detailed enough for whatever you are looking for.

1 Like