-1

I have a small website with few users, lately i've been digging into website security and stumbled across xss attacks. I found a loophole where in my code through self testing where i could create a username as <b>username</b> and it would appear in bold. Now, any action taken by the user is sent to my server for validation, I've explicitly banned "<" & ">" chars. Will this be enough to prevent xss attacks?

Also, my text fields are very limited (10 letters), though, i guess this can be bypassed by calling the function in chrome dev tools?

Will this do or is there anything else i should be aware of? Note that this site contains no important data to be stolen or hacked, i just want it fully protected as xss attacks can be quite nasty and redirect users and what not, ultmiately i feel responsible that my site works the intended way..

Dai
  • 141,631
  • 28
  • 261
  • 374
Naitzabez
  • 1
  • 1
  • What server-side language are you using? – Dai Apr 09 '20 at 22:51
  • javascript (node js) – Naitzabez Apr 09 '20 at 22:56
  • sanitize all user data you ingest, but also sanitize it when you generate your pages. `username` might be a dumb username, but as user generated content you _need_ to do santizing not just when you ingest (e.g. accept via POST) but also when you turn it back into page data: make your server perform HTML entity replacement, and always use `textContent` in the browser, never use `innerHTML`. – Mike 'Pomax' Kamermans Apr 09 '20 at 22:56
  • yeah i added this 'code' function htmlEscape(text) { return text.replace(/&/g, '&'). replace(/ replace(/"/g, '"'). replace(/'/g, '''); }'code' – Naitzabez Apr 09 '20 at 22:58

1 Answers1

2

Use frameworks .Do not try to make the wheel again! A LOT of people have spent lots of hours to prevent XSS and more in the largest frameworks.

Preventing XSS in Node.js / server side javascript

eriksv88
  • 3,482
  • 3
  • 31
  • 50