Asked  11 Months ago    Answers:  5   Viewed   183 times

Any idea how one would go about preventing XSS attacks on a node.js app? Any libs out there that handle removing javascript in hrefs, onclick attributes,etc. from POSTed data?

I don't want to have to write a regex for all that :)

Any suggestions?

 Answers

1

One of the answers to Sanitize/Rewrite HTML on the Client Side suggests borrowing the whitelist-based HTML sanitizer in JS from Google Caja which, as far as I can tell from a quick scroll-through, implements an HTML SAX parser without relying on the browser's DOM.

Update: Also, keep in mind that the Caja sanitizer has apparently been given a full, professional security review while regexes are known for being very easy to typo in security-compromising ways.

Update 2017-09-24: There is also now DOMPurify. I haven't used it yet, but it looks like it meets or exceeds every point I look for:

  • Relies on functionality provided by the runtime environment wherever possible. (Important both for performance and to maximize security by relying on well-tested, mature implementations as much as possible.)

    • Relies on either a browser's DOM or jsdom for Node.JS.
  • Default configuration designed to strip as little as possible while still guaranteeing removal of javascript.

    • Supports HTML, MathML, and SVG
    • Falls back to Microsoft's proprietary, un-configurable toStaticHTML under IE8 and IE9.
  • Highly configurable, making it suitable for enforcing limitations on an input which can contain arbitrary HTML, such as a WYSIWYG or Markdown comment field. (In fact, it's the top of the pile here)

    • Supports the usual tag/attribute whitelisting/blacklisting and URL regex whitelisting
    • Has special options to sanitize further for certain common types of HTML template metacharacters.
  • They're serious about compatibility and reliability

    • Automated tests running on 16 different browsers as well as three diffferent major versions of Node.JS.
    • To ensure developers and CI hosts are all on the same page, lock files are published.
Tuesday, July 27, 2021
 
Sidarta
 
5

If all you want to do is spin up a lightweight HTTP server while still programming with C# and .Net you should give Kayak a chance. It is a lightweight HTTP Server for C# and behaves kind of like node.js in that sense.

kayakhttp

Update:

If you are looking for a lightweight HTTP Server to handle web requests you have a couple alternatives today:

  • ServiceStack (recommended)
  • Microsoft WebAPI
  • NancyFx

To my knowledge all the above work on some version of Mono, so you can still host them across both Windows and Unix based systems.

Monday, June 21, 2021
 
pamelus
 
3

node.js uses an event-loop model which is not really a good fit with the current App Engine design.

However, there are several projects that bring JavaScript to App Engine. Check out App Engine issue 35 to read about some of the solutions. The highlights are: Rhino, Rhino For Webapps, if you like Python check out AppengineJS. I have also heard that RingoJS might be worth looking into.

Sunday, August 8, 2021
 
1

Google is now supporting custom language on Google App Engine. So we can do Node.js

https://www.youtube.com/watch?v=Q8jZHc0NS6A

https://developers.google.com/cloud/managed-vms

Sunday, September 26, 2021
 
Alix
 
5

What is needed to make serverside javascript work on Apache server?

You include mod_js in your httpd.conf and then write JavaScript

check this article to get started

Where can we get any information and samples about SSJS in Apache server?

This is a good answer on SO which talk about running nodejs on apache

Thursday, January 6, 2022
 
Brian
 
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :