Type 0 (DOM-Based) XSS Prevention for JSP Applications
Unlike the standard XSS attacks, which rely on dynamic web pages, a DOM-based XSS attack does not require sending any malicious code to the server and thus can also use static HTML pages. My humble question is whether a developer can securely code a page in such a way that such attacks can be prevented. What is/are the techniques to use? My belief is that the request must still pass from the client to the server irrespective of whether the page is static or dynamic and thus t开发者_高级运维his makes me think and wonder whether server-side checks are still possible to detect such an attack?
In order for malicious code to get on your page, you have to be putting unescaped, attacker-provided text onto the page. It does not matter if you are doing it server-side with PHP, or client-side with Javascript -- You must escape any input you receive before you turn it into output.
Use the same discipline with your javascript that you do with your server side code.
精彩评论