

-
sxss-vulnerability-demo-app
This is a demo application that demonstrates proper sanitization of raw html entered via a rich text editor
To run this application, first clone this demo app repo and follow the "Running the application" instructions in the readme.md file.
-
CodeRabbit
CodeRabbit: AI Code Reviews for Developers. Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.
-
DOMPurify
DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
Let's take a look at how we implement sanitization in the secure version of our vulnerable application. Since this application is primarily written using JavaScript, we use the dompurify library for the client side and the isomorphic-dompurify library for server-side sanitization. In the app.js program that acts as our web server, you will find an express endpoint /sanitized with a GET and POST implementation:
-
Another sign that your application might vulnerable to SXSS is simply whether or not you are using a rich text editor, such as TinyMCE or CKEditor.
Related posts
-
Understanding Cross-Site Scripting (XSS): A Quick Reference
-
Mitigate XSS exploits when using React's `dangerously SetInnerHTML`
-
Navigating the Security Risks of Arbitrary Values in Tailwind CSS
-
Safely Handling HTML in React
-
Launched my Social Media website for lonely people living abroad, all thanks to NextJS!