Web Security, v2

XSS Best Practices

Steve Kinney

Steve Kinney

Temporal
Web Security, v2

Check out a free preview of the full Web Security, v2 course

The "XSS Best Practices" Lesson is part of the full, Web Security, v2 course featured in this preview video. Here's what you'd learn in this lesson:

Steve discusses the importance of input validation and sanitization in web development. He explain the concept of safe syncs and safe methods for sanitizing user input. He also mention the use of tools like DOM Purify and suggest running tests to ensure that the sanitization process is effective.

Get Unlimited Access Now
Preview
Close
Get $100 Off
Get $100 Off!

Transcript from the "XSS Best Practices" Lesson

[00:00:00]
>> Steve Kinney: So we'll look at the overall, this part, input validation, sanitize on the way in, sanitize it on the way out, right? We'll talk about CSPs in a second. There are things like text content is safe, things like innerHTML, document.write, don't use the ones that just raw rights up to the DOM.

[00:00:22]
Use the ones that will sanitize on the way in, those are called safe sinks, as we'll see in a bit, and then any library or face or framework, right? And so there are some methods where it is still sanitize it. But there are methods, like text content and others that will also sanitize it also, and at least not execute it.

[00:00:44]
It won't sanitize it, but it won't execute it. And so those you know, those you can have ESLint rules for, those you can catch in code reviews, those you can scan your own code base, I'm not worried about those. Some other safe ones, just in case you're curious, these are all safe.

[00:01:01]
Hopefully, nothing's truly safe. We've seen exploits in like processor architecture, but generally speaking, for day to day use, these are all fine. And just kinda try to keep that in mind, if you go to the DOMPurify repo, you can see they have effectively the allow list, right? And so you can get a sense of what they're thinking is safe.

[00:01:24]
But again, you should use something. There is a list also on the other side of known bad strings. I made the mistake of loading these all into the database one of these example apps, and then had to shut down my computer. So don't do that, yeah, but it's one thing.

[00:01:43]
I don't do this currently, but I plan on doing it mostly as I was thinking about this a lot for this workshop, which is just simply having either a set of playwright tests or something that run through these. And I won't run them on every CICD, but maybe once a week or something.

[00:01:59]
Yeah, you can even stub alert or whatever. I'm like this function should never get called, right? Run through all of them. If we find out it's getting called, the test should fail, right? Something along those lines, that said I ran them through my app and the sanitizer got all of them presently.

[00:02:18]
So I'm not super motivated, but I think about it as well.

Learn Straight from the Experts Who Shape the Modern Web

  • In-depth Courses
  • Industry Leading Experts
  • Learning Paths
  • Live Interactive Workshops
Get Unlimited Access Now