1

I have gone through many articles of SO and Googled a lot but could not find some good premade libraries to prevent XSS (Cross Side Scripting) with Javascript for Node.js and PHP for Apache. I have found a lot of codes to prevent but isn't there some good libraries already available just include and use it?

  • To write such a library you would need to track if a piece of data came from inside or outside the program, flag it as potentially dangerous and then check that flag when the data was output as HTML. I don't think either JavaScript or PHP make it possible to attach such a flag to a string or to override the most common ways that a string could be output as HTML. – Quentin Jan 31 '14 at 22:29
  • Cross-Site Scripting is not always as simple as ``. You need to be aware of the context to actually prevent XSS. – Gumbo Jan 31 '14 at 22:29
  • http://stackoverflow.com/a/2652159 I've never seen a library being effective against XSS (if there is one please correct me!). If you sanitize everything, then it would be impossible to work with data that you save in the database. Not to mention there are types of XSS such as JavaScript injection too. – Dave Chen Jan 31 '14 at 22:29
  • 1
    In short: Doing this automatically is somewhere between "really really hard" and "impossible" but doing it manually is "really easy". – Quentin Jan 31 '14 at 22:29
  • Well I was totally new to posting question and didn't know about off-topic etc. I was facing problems in making codes for XSS prevention and that's why asked it here. –  Jan 31 '14 at 22:48

2 Answers2

1

php-antixss

htmLawed

HTML Purifier

xss_clean.php filter

XSS Protect

HTML XSS Filter

You can check it out Mod Security (kinda Module)

can be libraries, first go through their docs. But I would suggest you to use your own code for better prevention against such attacks.

Airy
  • 5,484
  • 7
  • 53
  • 78
-1

It is essentially possible to automatically prevent XSS attacks, since one little line in the code written by the end-user (the developer using such a theoretical library) can open up an attack.

It isn't possible write such a library, you just have to be careful.

If it is a high priority project, the only thing you can really do is be careful and get a third-party security audit from a trusted source (though those usually cost several thousand and the low-end).

samanime
  • 25,408
  • 15
  • 90
  • 139