All geek questions in one place

XSS regular expression

What is a regular expression that can be used to determine if a string is an XSS (cross-site scripting) security risk?

+4
source share
3 answers

It depends on the context in which this string is used.

For example, if a line is printed as part of an HTML page, then the special HTML characters < , > , " and ' can potentially be XSS risks.

If it is passed through JSON, then ' and " could potentially be XSS risks.

If it is included in SQL statements (which really should not be, at least not directly - to use parameterized queries), then things like ; and backlinks can be a problem.

Et cetera.

+5
source

There can never be a bulletproof function to stop all xss, and regex isn't the best choice. XSS is highly dependent on where on the page, and bounding pointers such as " ' < > are a good start, but by no means a comprehensive solution. Even when these characters stop, there are MANY other ways to use XSS. To name a few, there are malicious href's : javascript:alert(/xss/) and event handler injections: onload=alert(/xss/) , the lower of which will be stopped if you filter for the 4 characters listed.

HTMLPurifier consists of literally thousands of regular expressions, and it goes around it all the time.

+3
source

Look for any uncoded < characters in html generated from user data. Without any < characters, html cannot be disgusting to your site.

If you want to allow user-created formatting, limit the valid html to a subset. It is not possible to verify this with regular expressions, so I recommend using a good html parser.

0
source

Source: https://habr.com/ru/post/1334599/

More articles:


All Articles