Preventing XSS in Node.js / server side javascript

Asked  11 Months ago    Answers:  5   Viewed   183 times

Any idea how one would go about preventing XSS attacks on a node.js app? Any libs out there that handle removing javascript in hrefs, onclick attributes,etc. from POSTed data?

I don't want to have to write a regex for all that :)

Any suggestions?

 Answers

1

One of the answers to Sanitize/Rewrite HTML on the Client Side suggests borrowing the whitelist-based HTML sanitizer in JS from Google Caja which, as far as I can tell from a quick scroll-through, implements an HTML SAX parser without relying on the browser's DOM.

Update: Also, keep in mind that the Caja sanitizer has apparently been given a full, professional security review while regexes are known for being very easy to typo in security-compromising ways.

Update 2017-09-24: There is also now DOMPurify. I haven't used it yet, but it looks like it meets or exceeds every point I look for:

  • Relies on functionality provided by the runtime environment wherever possible. (Important both for performance and to maximize security by relying on well-tested, mature implementations as much as possible.)

    • Relies on either a browser's DOM or jsdom for Node.JS.

  • Default configuration designed to strip as little as possible while still guaranteeing removal of javascript.

    • Supports HTML, MathML, and SVG
    • Falls back to Microsoft's proprietary, un-configurable toStaticHTML under IE8 and IE9.

  • Highly configurable, making it suitable for enforcing limitations on an input which can contain arbitrary HTML, such as a WYSIWYG or Markdown comment field. (In fact, it's the top of the pile here)

    • Supports the usual tag/attribute whitelisting/blacklisting and URL regex whitelisting
    • Has special options to sanitize further for certain common types of HTML template metacharacters.

  • They're serious about compatibility and reliability

    • Automated tests running on 16 different browsers as well as three diffferent major versions of Node.JS.
    • To ensure developers and CI hosts are all on the same page, lock files are published.
Tuesday, July 27, 2021
 
Sidarta
 
Sidarta
5

If all you want to do is spin up a lightweight HTTP server while still programming with C# and .Net you should give Kayak a chance. It is a lightweight HTTP Server for C# and behaves kind of like node.js in that sense.

kayakhttp

Update:

If you are looking for a lightweight HTTP Server to handle web requests you have a couple alternatives today:

  • ServiceStack (recommended)
  • Microsoft WebAPI
  • NancyFx

To my knowledge all the above work on some version of Mono, so you can still host them across both Windows and Unix based systems.

Monday, June 21, 2021
 
pamelus
 
pamelus
3

node.js uses an event-loop model which is not really a good fit with the current App Engine design.

However, there are several projects that bring JavaScript to App Engine. Check out App Engine issue 35 to read about some of the solutions. The highlights are: Rhino, Rhino For Webapps, if you like Python check out AppengineJS. I have also heard that RingoJS might be worth looking into.

Sunday, August 8, 2021
 
user3723041
 
user3723041
1

Google is now supporting custom language on Google App Engine. So we can do Node.js

https://www.youtube.com/watch?v=Q8jZHc0NS6A

https://developers.google.com/cloud/managed-vms

Sunday, September 26, 2021
 
Alix
 
Alix
5

What is needed to make serverside javascript work on Apache server?

You include mod_js in your httpd.conf and then write JavaScript

check this article to get started

Where can we get any information and samples about SSJS in Apache server?

This is a good answer on SO which talk about running nodejs on apache

Thursday, January 6, 2022
 
Brian
 
Brian
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :
 
Share
Related Answers
17
 How to Create an anti-request forgery state token In google+ server side sign-up
21
 Requesting a website by client side script = Cross Side Scripting Hack. But requesting a website by server side...
23
 how to build a in-memory server side cache in php?
11
 When and how do you use server side JavaScript? [closed]
17
 Get access token on server side javascript (nodejs) using google authorization code received from client side
12
 How to use timer in Vapor (server-side Swift)?
29
 Server Side Javascript: Why?
12
 How can I get the event while page close in blazor server-side?
6
 Jade template with variables (nodejs server side)
23
 How to Localize validation message (DataAnnotationsValidator) in blazor server side
Top Answers Related To

xss,node.js,serverside-javascript

25
 node.js running alongside Apache PHP?
25
 Interpreting JavaScript in PHP
21
 How to wrap async function calls into a sync function in Node.js or Javascript?
33
 Using a .NET DLL in Node.js / serverside javascript
26
 Is there a way to test circular reference in JavaScript?
13
 Modify Node.js req object parameters
24
 Are there any static Call-Graph and/or Control-Flow-Graph API for JavaScript? [closed]
20
 Is it possible to develop a Google App Engine web app using Node.js or some other server side JavaScript approach?
21
 Javascript server side?
18
 node.js mongodb javascript scoping confusion
Copyrights Full Stack User 2022 · Privacy · About Us · Terms of Use · Contact us ·