Automatic Contextual XSS Escaping made robust, easy, and fast
Cross Site Scripting (XSS) has topped the list of OWASP Top 10 Web Application Security Risks over a decade. We all know its consequence is terrible, allowing attackers to compromise a website and exfiltrate sensitive user information. But what makes it so hard to be eliminated from web applications?Learn more...
Escaping filters are applied according to the output context of every placeholder, at the right place and in a correct order. All automagically done by standard-compliant parsers written by us.
The solution has undergone series of manual code reviews, as well as unit and integration tests. The filters also stand against fuzzing tests under a vast majority of web browsers.
With as little as 2 lines of code changes, the express-secure-handlebars package is capable of applying contextual escaping filters, and even correct HTML parsing errors, all automatically!
Templates can be pre-processed completely offline to avoid any runtime contextual analysis. Filters escape just sufficiently to be secure, and are thus up to 2 times faster than the default one.