XSS filtering
We all know about this type of attack as XSS (much has been written about their types and methods of application), we all know what danger such an attack can cause, as well as the fact that you always need to check incoming data for XSS - write about it everywhere .
But there is practically no information about what exactly and exactly how to defend oneself.
I am a web developer who created my own CMS on the basis of which I create websites (why did I invent the bicycle? This is not a topic for this discussion), having done a detailed analysis, I realized that the defense was frankly weak and tried to find a solution to the problem. I found a large detailed collection of possible XSS attacks - these will be test attacks that should be filtered.
The result of the search and testing has determined that I have completely coped with the task - only HTML Purifier . The filter library is written in PHP with huge configuration options.
Everything in this library is excellent, except for one thing - the library uses 4.2Mb of memory in its work, which, in my opinion, is too much.
')
The rest of the applicants either failed to fully cope with all the tests, or were so outdated that only non-working links were left to them.
I understand that this filter will rarely run (only to check incoming data from potentially dangerous visitors), but because of my own convictions I try to improve everything as much as possible.
Perhaps someone has information about a better and more optimized filter?
Not a problem if it is written in another language.
Ideally, a simple and fast function is searched for that can clearly perform XSS attack filtering.
But there is practically no information about what exactly and exactly how to defend oneself.
I am a web developer who created my own CMS on the basis of which I create websites (why did I invent the bicycle? This is not a topic for this discussion), having done a detailed analysis, I realized that the defense was frankly weak and tried to find a solution to the problem. I found a large detailed collection of possible XSS attacks - these will be test attacks that should be filtered.
The result of the search and testing has determined that I have completely coped with the task - only HTML Purifier . The filter library is written in PHP with huge configuration options.
Everything in this library is excellent, except for one thing - the library uses 4.2Mb of memory in its work, which, in my opinion, is too much.
')
The rest of the applicants either failed to fully cope with all the tests, or were so outdated that only non-working links were left to them.
I understand that this filter will rarely run (only to check incoming data from potentially dangerous visitors), but because of my own convictions I try to improve everything as much as possible.
Perhaps someone has information about a better and more optimized filter?
Not a problem if it is written in another language.
Ideally, a simple and fast function is searched for that can clearly perform XSS attack filtering.
Source: https://habr.com/ru/post/56372/
All Articles