Preventing XSS in Node.js / server side javascript

Question

Any idea how one would go about preventing XSS attacks on a node.js app? Any libs out there that handle removing javascript in hrefs, onclick attributes,etc. from POSTed dat

Answer 1

You can also look at ESAPI. There is a javascript version of the library. It's pretty sturdy.

Answer 2

One of the answers to Sanitize/Rewrite HTML on the Client Side suggests borrowing the whitelist-based HTML sanitizer in JS from Google Caja which, as far as I can tell from a quick scroll-through, implements an HTML SAX parser without relying on the browser's DOM.

Update: Also, keep in mind that the Caja sanitizer has apparently been given a full, professional security review while regexes are known for being very easy to typo in security-compromising ways.

Update 2017-09-24: There is also now DOMPurify. I haven't used it yet, but it looks like it meets or exceeds every point I look for:

• Relies on functionality provided by the runtime environment wherever possible. (Important both for performance and to maximize security by relying on well-tested, mature implementations as much as possible.)

  • Relies on either a browser's DOM or jsdom for Node.JS.

• Default configuration designed to strip as little as possible while still guaranteeing removal of javascript.

  • Supports HTML, MathML, and SVG
  • Falls back to Microsoft's proprietary, un-configurable toStaticHTML under IE8 and IE9.

• Highly configurable, making it suitable for enforcing limitations on an input which can contain arbitrary HTML, such as a WYSIWYG or Markdown comment field. (In fact, it's the top of the pile here)

  • Supports the usual tag/attribute whitelisting/blacklisting and URL regex whitelisting
  • Has special options to sanitize further for certain common types of HTML template metacharacters.

• They're serious about compatibility and reliability

  • Automated tests running on 16 different browsers as well as three diffferent major versions of Node.JS.
  • To ensure developers and CI hosts are all on the same page, lock files are published.

Answer 3

I recently discovered node-validator by chriso.

Example

get('/', function (req, res) {

  //Sanitize user input
  req.sanitize('textarea').xss(); // No longer supported
  req.sanitize('foo').toBoolean();

});

XSS Function Deprecation

The XSS function is no longer available in this library.

https://github.com/chriso/validator.js#deprecations

Answer 4

All usual techniques apply to node.js output as well, which means:

• Blacklists will not work.
• You're not supposed to filter input in order to protect HTML output. It will not work or will work by needlessly malforming the data.
• You're supposed to HTML-escape text in HTML output.

I'm not sure if node.js comes with some built-in for this, but something like that should do the job:

function htmlEscape(text) {
   return text.replace(/&/g, '&').
     replace(/</g, '&lt;').  // it's not neccessary to escape >
     replace(/"/g, '&quot;').
     replace(/'/g, '&#039;');
}

Answer 5

You should try library npm "insane". https://github.com/bevacqua/insane

I try in production, it works well. Size is very small (around ~3kb gzipped).

• Sanitize html
• Remove all attributes or tags who evaluate js
• You can allow attributes or tags that you don't want sanitize

The documentation is very easy to read and understand. https://github.com/bevacqua/insane

Answer 6

Try out the npm module strip-js. It performs the following actions:

• Sanitizes HTML
• Removes script tags
• Removes attributes such as "onclick", "onerror", etc. which contain JavaScript code
• Removes "href" attributes which contain JavaScript code

https://www.npmjs.com/package/strip-js