December 8, 2023

Google, Mozilla, and security firm Cure53 have come together to develop an application programming interface (API) that provides a systematic solution to HTML sanitization which will prevent XSS attacks without the need for third-party libraries.

Preventing XSS attacks

Web applications are often required to handle dynamic HTML content in the browser, such as when rendering user-generated content or dealing with templates.

Client-side HTML processing often causes security holes and malicious actors use them to stage XSS attacks and steal user information or send web commands on users. XSS issues occurred due to java script inception getting added to attacker toolbox

Content-Security Policy (CSP), a set of HTTP header directives that help mitigate XSS attacks by putting restrictions on how web pages handle different types of content. But CSP has not gained the traction its creators hoped.

Sanitization libraries

Many developers rely on open-source JavaScript libraries such as DOMPurify to prevent XSS attacks. DOMPurify takes an HTML string as input and sanitizes it by escaping and removing potentially vulnerable parts.

To ensure that the HTML sanitizer works correctly on new input, it needs to keep up with this standard. The failure to do so can be catastrophic and lead to sanitizer bypasses.The new HTML Sanitizer API has been developed by Google, Mozilla, and the wider security community

Native HTML sanitization

The HTML Sanitizer API bakes XSS mitigation functionality directly into the browser. Developers can instantiate and use the API’s sanitizer class without the need to import external libraries.

Browsers already have baked-in sanitizers for clipboard data, Just use the built-in sanitizer; you don’t need to include any external libraries!’

Testing the API

The HTML Sanitizer API will not prevent mutated XSS attacks and attacks that exploit server-side vulnerabilities. With extra configuration, however, it can prevent DOM clobbering and XSS attacks based on script gadgets.

An experimental implementation of the API has been integrated into Firefox Nightly and Chrome Canary, the test versions of the browsers. A test page for the API is also available online.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.