Cross-Site Scripting Attack Prevention

Release 1.0 - ...

Cross-site scripting (XSS) attacks exploit vulnerabilities in Web page validation by injecting client-side script code. Common vulnerabilities that make your Web applications susceptible to cross-site scripting attacks include failing to properly validate input, failing to encode output, and trusting the data retrieved from a shared database. To protect your application against cross-site scripting attacks, assume that all input is malicious. Constrain and validate all input. Encode all output that could, potentially, include HTML characters. This includes data read from files and databases.

To help the developer, Smartsite validates the request querystring and form data by default. The vipers request.query and request.data will raise an error when potentially dangerous input has been submitted.

An input string is considered potentially dangerous when it contains:

  • < followed by a letter
  • <!
  • </
  • &#

You can circumvent this default behavior by using the unsafe overloads of both vipers. The check for potential dangerous input will not be performed when the parameter unsafeValue has the value true. You must validate the input yourself.