Preventing XSS in Node.js / server side javascript


Any idea how one would go about preventing XSS attacks on a node.js app? Any libs out there that handle removing javascript in hrefs, onclick attributes,etc. from POSTed data?

I don't want to have to write a regex for all that :)

Any suggestions?

9/14/2010 12:26:10 AM

Accepted Answer

One of the answers to Sanitize/Rewrite HTML on the Client Side suggests borrowing the whitelist-based HTML sanitizer in JS from Google Caja which, as far as I can tell from a quick scroll-through, implements an HTML SAX parser without relying on the browser's DOM.

Update: Also, keep in mind that the Caja sanitizer has apparently been given a full, professional security review while regexes are known for being very easy to typo in security-compromising ways.

Update 2017-09-24: There is also now DOMPurify. I haven't used it yet, but it looks like it meets or exceeds every point I look for:

  • Relies on functionality provided by the runtime environment wherever possible. (Important both for performance and to maximize security by relying on well-tested, mature implementations as much as possible.)

    • Relies on either a browser's DOM or jsdom for Node.JS.
  • Default configuration designed to strip as little as possible while still guaranteeing removal of javascript.

    • Supports HTML, MathML, and SVG
    • Falls back to Microsoft's proprietary, un-configurable toStaticHTML under IE8 and IE9.
  • Highly configurable, making it suitable for enforcing limitations on an input which can contain arbitrary HTML, such as a WYSIWYG or Markdown comment field. (In fact, it's the top of the pile here)

    • Supports the usual tag/attribute whitelisting/blacklisting and URL regex whitelisting
    • Has special options to sanitize further for certain common types of HTML template metacharacters.
  • They're serious about compatibility and reliability

    • Automated tests running on 16 different browsers as well as three diffferent major versions of Node.JS.
    • To ensure developers and CI hosts are all on the same page, lock files are published.
9/24/2017 11:48:57 AM

I've created a module that bundles the Caja HTML Sanitizer

npm install sanitizer

Any feedback appreciated.

Licensed under: CC-BY-SA with attribution
Not affiliated with: Stack Overflow