Quote:
Originally Posted by sbhmf
basically, my question is to all readers here who mitigate scripting attack risk on the client side, what is your preferred method, and why?
|
client side scripting has nothing to do with XSS attacks. i know that sounds funny, but it's true. XSS results from a failure of the server that saves and re-distributes user-entered data without sanitizing it correctly.
simply put, a hacker won't abuse your web page to inject js into your comment form, he will simply use a curl script that ignores any javascript on the page.
in theory, using ajax, it might be possible to filter XSS from user-entered data, but the page would not work without JS, the content would be invisible to search engines by default, and you would have to maintain your scrubber code as new escape sequences and attack patterns are developed.
usually, the raw values don't show up from ajax, they hide in a <title> tag on an items view page, or in the title attrib of a list view. again, this points to the fact that the issue is in the html delivered by the server, not the js code itself. by the time any of your js executes, it's already too late...
EDIT:
just to be clear: the bottom line is that you MUST sanitize your data on the server, not using client-side javascript.