Existing protections against XSS attacks on CSP pages ?
Is there any mechanism already implemented in IRIS to prevent XSS exploits ?
This case happen when user input html/javascript content into fields and submit the page. If saved content is rendered as is, it's going to be executed by anyone visiting the page.
What I am looking for :
- Built-in protection mechanisms that can be enabled globally (eg: per web application) or per CSP page. Something similar to a web application firewall.
- Functions to call manually that can detect such content in fields or sanitize them (remove unwanted content). I could implement such functions myself but don't want to re-invent the wheel or to take the risk to be not covering all the cases.
Comments
The two key methods here for output sanitization are:
%CSP.Page:QuoteJS - for output sanitization targeting JavaScript string literals
%CSP.Page:EscapeHTML - for output sanitization targeting HTML content
Note - for the HTML attribute context (see https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-for-html-attribute-contexts) you should use EscapeHTML enclosed in double quotes.
Thanks a lot. EscapeHTML() fixed the issue.
💡 This question is considered a Key Question. More details here.