XSS Sanitation / Protection? about alumni-network HOT 12 CLOSED

What is the threat?

from alumni-network.

@firgon000 I don't know a whole lot about XSS, but @Bigghead mentioned it to me early on in this process. I would think people attempting to write scripts in our text areas where there is actually some room - bio, mentorship bio, etc.

Not sure what could actually be accomplished if someone did...

from alumni-network.

Looking for @Bigghead's expertise on this one.

from alumni-network.

I've used something simple like express-sanitizer to get rid of script tags on the server.

Some of the things people can easily do with XSS:

• On the more harmless side, somebody can just write a setInterval alert script on a page, making it super annoying to load/unusable.

Or

• A user writes a window.open script that will automatically redirect to a malicious site on page load. Imagine if they got this script saved in their profile page's DB. Everybody that visits their profile gets redirected to a new site.

from alumni-network.

Or Helmet.js.

from alumni-network.

@Bigghead @no-stack-dub-sack I think React helps sanitize input for us? Like I don't care what script you write in any of our inputs, but it will just show up as that string of text later on...? Try it out on the live demo app if you can window.open anything then we'll need to take a second look. I just tried a few things myself, nothing. Did find another chat bug tho. 😭 💀

from alumni-network.

@Bigghead @bonham000

FCC Alumni Network CISO: Shav "Big Head" Parta

from alumni-network.

lolz

from alumni-network.

@bonham000 is right, I just read React helps prevents XSS, as they automatically escape certain html strings in inputs.

from alumni-network.

React 👑

from alumni-network.

React is freakin awesome. That window.open trick broke my voting app the first time.

I don't think we should worry about XSS injections too much (at all) with this app

from alumni-network.

MEEN Stack?

from alumni-network.