What are the best practices to prevent XXS attacks? - XXS Best Practices
I have a text field that allows the user to type whatever the user wants. After saving, the results are later displayed on the screen to potentially to a large audience. XSS seems a bit like black magic to me, so I am wondering what the current XXS best practices are for handling this situation (from specific ways to sanitize input to specific ways to encode HTML to display)?
Compose your HTML using an auto-escaping template language that, by default, escapes untrusted inputs for you. For example, Django templates escape HTML special characters:
Clearly, user-submitted data shouldn't be trusted blindly and inserted directly into your Web pages, because a malicious user could use this kind of hole to do potentially bad things. This type of security exploit is called a Cross Site Scripting (XSS) attack. To avoid this problem, you have two options:
- You can make sure to run each untrusted variable through the escape filter, which converts potentially harmful HTML characters to unharmful ones. This was the default solution in Django for its first few years, but the problem is that it puts the onus on you, the developer / template author, to ensure you're escaping everything. It's easy to forget to escape data. You can take advantage of Django's automatic HTML escaping. The remainder of this section describes how auto-escaping works. By default in Django, every template automatically escapes the output of every variable tag.