x/web-app-template
Archived
Template
2
0
Fork 0
Code Issues 13 Pull Requests 4 Actions Packages Activity

Cross Site Scripting XSS #272

New Issue
Closed
opened 2024-11-22 23:20:07 +00:00 by tim · 2 comments
tim commented 2024-11-22 23:20:07 +00:00
Owner
Copy Link

Cross Site Scripting Prevention
and Cross-site leaks Cheat Sheet

[Cross Site Scripting Prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) and [Cross-site leaks Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XS_Leaks_Cheat_Sheet.html)
tim commented 2024-11-22 23:21:16 +00:00
Author
Owner
Copy Link

Cross Site Scripting is, when an attacker injects malicious code into your web application. E.g. on forum, an attacker is placing an script which is executed on every user who visits the site.

Therefore multiple steps should be taken. A layered approach is way better than relying on only one.

  1. Validte all input. E.g. in the workout api validate, that all inputs match certain criteria and don't contain e.g. script tags.
  2. Sanitize all output. Even if someone could smuggle in a script tag into the database, the output should always be sanitized. Unless I'm using special / wrong functions, templ is doing this for me.
  3. Content Security Policy. With using a strict policy, even unsanitized scripts will be ignored by the browser, defending against the attack.
Cross Site Scripting is, when an attacker injects malicious code into your web application. E.g. on forum, an attacker is placing an script which is executed on every user who visits the site. Therefore multiple steps should be taken. A layered approach is way better than relying on only one. 1. Validte all input. E.g. in the workout api validate, that all inputs match certain criteria and don't contain e.g. script tags. 2. Sanitize all output. Even if someone could smuggle in a script tag into the database, the output should always be sanitized. Unless I'm using special / wrong functions, templ is doing this for me. 3. Content Security Policy. With using a strict policy, even unsanitized scripts will be ignored by the browser, defending against the attack.
tim added this to the security milestone 2024-11-22 23:21:26 +00:00
tim commented 2024-11-23 11:31:29 +00:00
Author
Owner
Copy Link

As every output is encoded/sanitized from templ, as long as no malicious functions are used, I'm good to go. Especially because almost everything runs server side.

As every output is encoded/sanitized from templ, as long as no malicious functions are used, I'm good to go. Especially because almost everything runs server side.
tim closed this issue 2024-11-23 11:31:31 +00:00
This repo is archived. You cannot comment on issues.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
blocker
fun
medium
minor
No Label
Milestone
No items
No Milestone security
Assignees
Clear assignees
renovate tim
No Assignees
1 Participants
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: x/web-app-template#272
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?