Preventing XSS in Node.js / server side javascript
Xssnode.jsServerside JavascriptXss Problem Overview
Any idea how one would go about preventing XSS attacks on a node.js app? Any libs out there that handle removing javascript in hrefs, onclick attributes,etc. from POSTed data?
I don't want to have to write a regex for all that :)
Any suggestions?
Xss Solutions
Solution 1 - Xss
I've created a module that bundles the Caja HTML Sanitizer
npm install sanitizer
http://github.com/theSmaw/Caja-HTML-Sanitizer
https://www.npmjs.com/package/sanitizer
Any feedback appreciated.
Solution 2 - Xss
One of the answers to Sanitize/Rewrite HTML on the Client Side suggests borrowing the whitelist-based HTML sanitizer in JS from Google Caja which, as far as I can tell from a quick scroll-through, implements an HTML SAX parser without relying on the browser's DOM.
Update: Also, keep in mind that the Caja sanitizer has apparently been given a full, professional security review while regexes are known for being very easy to typo in security-compromising ways.
Update 2017-09-24: There is also now DOMPurify. I haven't used it yet, but it looks like it meets or exceeds every point I look for:
-
Relies on functionality provided by the runtime environment wherever possible. (Important both for performance and to maximize security by relying on well-tested, mature implementations as much as possible.)
- Relies on either a browser's DOM or jsdom for Node.JS.
-
Default configuration designed to strip as little as possible while still guaranteeing removal of javascript.
- Supports HTML, MathML, and SVG
- Falls back to Microsoft's proprietary, un-configurable
toStaticHTMLunder IE8 and IE9.
-
Highly configurable, making it suitable for enforcing limitations on an input which can contain arbitrary HTML, such as a WYSIWYG or Markdown comment field. (In fact, it's the top of the pile here)
- Supports the usual tag/attribute whitelisting/blacklisting and URL regex whitelisting
- Has special options to sanitize further for certain common types of HTML template metacharacters.
-
They're serious about compatibility and reliability
- Automated tests running on 16 different browsers as well as three diffferent major versions of Node.JS.
- To ensure developers and CI hosts are all on the same page, lock files are published.
Solution 3 - Xss
All usual techniques apply to node.js output as well, which means:
- Blacklists will not work.
- You're not supposed to filter input in order to protect HTML output. It will not work or will work by needlessly malforming the data.
- You're supposed to HTML-escape text in HTML output.
I'm not sure if node.js comes with some built-in for this, but something like that should do the job:
function htmlEscape(text) {
return text.replace(/&/g, '&').
replace(/</g, '<'). // it's not neccessary to escape >
replace(/"/g, '"').
replace(/'/g, ''');
}
Solution 4 - Xss
I recently discovered node-validator by chriso.
Example
get('/', function (req, res) {
//Sanitize user input
req.sanitize('textarea').xss(); // No longer supported
req.sanitize('foo').toBoolean();
});
XSS Function Deprecation
The XSS function is no longer available in this library.
Solution 5 - Xss
You can also look at ESAPI. There is a javascript version of the library. It's pretty sturdy.
Solution 6 - Xss
In newer versions of validator module you can use the following script to prevent XSS attack:
var validator = require('validator');
var escaped_string = validator.escape(someString);
Solution 7 - Xss
Try out the npm module strip-js. It performs the following actions:
- Sanitizes HTML
- Removes script tags
- Removes attributes such as "onclick", "onerror", etc. which contain JavaScript code
- Removes "href" attributes which contain JavaScript code
Solution 8 - Xss
You should try library npm "insane". https://github.com/bevacqua/insane
I try in production, it works well. Size is very small (around ~3kb gzipped).
- Sanitize html
- Remove all attributes or tags who evaluate js
- You can allow attributes or tags that you don't want sanitize
The documentation is very easy to read and understand. https://github.com/bevacqua/insane
Solution 9 - Xss
Update 2021-04-16: xss is a module used to filter input from users to prevent XSS attacks.
Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist.
Visit https://www.npmjs.com/package/xss
Project Homepage: http://jsxss.com