Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
How to prevent XSS attacks
See original GitHub issueHow to prevent XSS attacks,like this:
<img src="http://www.erorerer.com/a.jpg" onerror="alert(1)" />
<script>alert(1)</script>
Issue Analytics
- State:
- Created 6 years ago
- Reactions:4
- Comments:8
Top Results From Across the Web
Cross-site scripting (XSS) - Web Security Academy
How to prevent XSS attacks · Filter input on arrival. At the point where user input is received, filter as strictly as possible...
Read more >Protect from cross-site scripting attacks - IBM Garage Practices
To prevent XSS attacks, your application must validate all the input data, make sure that only the allowlisted data is allowed, and ensure...
Read more >Cross Site Scripting Prevention - OWASP Cheat Sheet Series
For XSS attacks to be successful, an attacker needs to insert and execute malicious content in a webpage. Each variable in a web...
Read more >How to Prevent Cross-Site Scripting (XSS) Attacks | ESP
Sanitize and validate input fields ... Input fields are the most common point of entry for XSS attack scripts. Therefore, you should always...
Read more >Protecting Your Users Against Cross-site Scripting
To protect against stored XSS attacks, make sure any dynamic content coming from the data store cannot be used to inject JavaScript on...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@tuomassalo It’s really possible sanitaze stuff on the client before rendering.
I’d like to amend @DmitrySkripkin’s comment, since it can be confusing and even dangerous for inexperienced developers.
Client-side modules can never prevent XSS attacks, even in theory. A malicious user can craft a http request that sends an XSS payload to the server, bypassing any client-side sanitation.
The correct way to prevent XSS attacks with rich-text editors is to enforce a whitelist of sanitation rules on the server, before storing the content. See #510 and eg. https://github.com/punkave/sanitize-html.