Good Day ! I feel really frustrated today since I have been looking for a good solution for an XSS attack Vulnerability but hadn’t found one that would completely get me rid of it…
Please if you have any ideas, comment below. Thanks!
1 Like
What did your research tell you about XSS (Cross site scripting)?
I would imagine the best way to completely avoid it is have no input forms on your website! 
1 Like
The best approach is to just not use any user-entered content. But if you must display/use user-entered content, the layered approach is the next best.
- You can prevent specifics from being entered on the client-side, IE throw validation errors if they start entering
<script>tags for example. This is just to prevent snooping, any serious hacker won’t be stopped by client-side validation. - Add server-side validation on inputs to remove any sensitive html tags if possible. Depending on what your doing, this might be easy or super hard. You can use a well-respected lib, (not a random off the wall one that isn’t proven) to help you out.
- On the client-side when “rendering” the content, you can use more parsing to remove html tags, or “escape” them, IE you actually show the content as
<script>whatever</script>rather than executing it as plain HTML. There are a number of well-respective libraries and approaches out there to help you with this.
The 2nd and 3rd solutions could be done by themselves to prevent most if not all attacks, but having security on both ends is far better than relying on only 1 true defense. The 1st suggestion is primarily to make it harder for a usual person from trying it out. It’s like a fence at any secure location, it wont protect from a tank, but will prevent the average person from just walking in.
The best approach is to just not use any user-entered content. But if you must display/use user-entered content, the layered approach is the next best one