June 6, 2023

Google, Mozilla, and security firm Cure53 have come together to develop an application programming interface (API) that provides a systematic solution to HTML sanitization which will prevent XSS attacks without the need for third-party libraries.

Preventing XSS attacks

Web applications are often required to handle dynamic HTML content in the browser, such as when rendering user-generated content or dealing with templates.

Client-side HTML processing often causes security holes and malicious actors use them to stage XSS attacks and steal user information or send web commands on users. XSS issues occurred due to java script inception getting added to attacker toolbox

Content-Security Policy (CSP), a set of HTTP header directives that help mitigate XSS attacks by putting restrictions on how web pages handle different types of content. But CSP has not gained the traction its creators hoped.

Sanitization libraries

Many developers rely on open-source JavaScript libraries such as DOMPurify to prevent XSS attacks. DOMPurify takes an HTML string as input and sanitizes it by escaping and removing potentially vulnerable parts.

To ensure that the HTML sanitizer works correctly on new input, it needs to keep up with this standard. The failure to do so can be catastrophic and lead to sanitizer bypasses.The new HTML Sanitizer API has been developed by Google, Mozilla, and the wider security community

Native HTML sanitization


The HTML Sanitizer API bakes XSS mitigation functionality directly into the browser. Developers can instantiate and use the API’s sanitizer class without the need to import external libraries.

Browsers already have baked-in sanitizers for clipboard data, Just use the built-in sanitizer; you don’t need to include any external libraries!’

Testing the API

The HTML Sanitizer API will not prevent mutated XSS attacks and attacks that exploit server-side vulnerabilities. With extra configuration, however, it can prevent DOM clobbering and XSS attacks based on script gadgets.

An experimental implementation of the API has been integrated into Firefox Nightly and Chrome Canary, the test versions of the browsers. A test page for the API is also available online.

Tags:

Leave a Reply

Related Post

Google now let you Untrusted Extension

Google now let you Untrusted Extension

June 6, 2021
3Ds Max malware ! APT group targets design industry

3Ds Max malware ! APT group targets design industry

August 26, 2020

You may have missed

Byte Code Bites PYPI

Byte Code Bites PYPI

June 5, 2023
Enzo Biochem Suffers a Data Breach

Enzo Biochem Suffers a Data Breach

June 5, 2023
BlackSuit Ransomware Dissection

BlackSuit Ransomware Dissection

June 4, 2023
TheCyberThrone CyberSecurity Newsletter Top 5 Articles – May, 2023

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – May, 2023

June 4, 2023
Cisco buys Armorblox

Cisco buys Armorblox

June 3, 2023
CISA KEV Update Part I – May 2023

CISA KEV Update Part I – May 2023

June 3, 2023
%d bloggers like this: