0

I am generating a search output based on a user query and generating search result pages like this 

location.href = root_url + "SearchCenter/Pages/internal.aspx" + "?q=" + st

I am looking into protecting against XSS attacks.

I am using encodeURI to protect against the attack with

encodeURI("http://Server.com/SearchCenter/Pages/internal.aspx?q=<script>alert('dd')</script>)"

which outputs 

http://server.com/SearchCenter/Pages/internal.aspx?q=%3Cscript%3Ealert('dd')%3C/script%3E)

Now what if instead of tag they enter JavaScript:Alert('dd') which encodeURI would not protect against.

So my question is that is there any JS library or function that I can use to protect against URL XSS attacks.

Improve this question
1
  • 1
    Nothing on the client-side is protected if the user doesn't want it to be. It's the server-side that needs to have protections put in place. Commented May 11, 2015 at 15:46

1 Answer 1

Reset to default
3

You should solve this server side. Never trust the client so whatever it sends should be vetted on the server before being rendered in the HTML. So accept whatever they send and use a server component to make sure that whatever gets outputted is safe.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.