i got a simple project but is giving me headaches because Client-Side programming is not my thing. Basically i got a login page and the client wants that i prevent XSS attacks not allowing users not submit malicious code on username/password fields. I would do it on server side easily, but they do not want give to us access.

Any chance to someone give me hints how can i do this? Even tough i know the basics of javascript/HTML, my experience ir nearly null.

I know that are several questions about this topic, but sincerely, i got lost with all information

Best Regards

i got a simple project but is giving me headaches because Client-Side programming is not my thing. Basically i got a login page and the client wants that i prevent XSS attacks not allowing users not submit malicious code on username/password fields. I would do it on server side easily, but they do not want give to us access.

Any chance to someone give me hints how can i do this? Even tough i know the basics of javascript/HTML, my experience ir nearly null.

I know that are several questions about this topic, but sincerely, i got lost with all information

Best Regards

• javascript
• html
• xss
• client-side

• 2 Even if you do it on the client-side, any tech-savy attacker will take minutes to bypass it, you'll have to implement this on the server-side (but you can also implement it client-side just for sake of double-sanitation). – Diogo Raminhos Commented Jan 23, 2015 at 13:48
• user input has to be cleaned on server-side. how good is a client-side validation if user can disable javascript? If they don't want to give you access then you can't do a reliable job. – Fabrizio Calderan Commented Jan 23, 2015 at 13:48
• Client side form validation is only for providing convenient user feedback before submitting a form. It saves the user time and it saves load on the server by alerting the user to a mistake before talking to the server. It is not useful, and should never be relied upon, to protect anything as it can be easily bypassed in many ways, including crafting requests to the server in programs which are not even running on the page or in a browser. – JAAulde Commented Jan 23, 2015 at 13:49

2 Answers 2

Actually you simply cannot make any reliable XSS prevention on the client side. The attacker simply disables JavaScript, and all your plicated code is non-existent. Any client-side validation is only for the convenience of the users, nothing more.

Update: The above I wrote, is true about second order (a.k.a. stored) XSS. First order XSS attacks (when the attacker creates a forged URL) can be mitigated using JavaScript.

You prevent XSS on the client in the same way that you prevent it on the server. (Note this only protects against input that is directly processed on the client, and not against code that gets submitted to the server and then passed back to a client).

• Make sure you know what data format any given variable holds
• Treat any user input including data from forms, data from URLs, etc) as plain text
• Encode it appropriately for where ever you put it, using native methods for handling the data where possible

For example, if you wanted to display the fragment id in a div you would:

div.appendChild(document.createTextNode(location.hash));

Do not just allow raw input to be parsed as HTML:

// DANGER
div.innerHTML = location.hash;

This, of course, only protects the page from data submitted to the client side code.

There is no way to use client side code to prevent malicious data from being submitted to the server side code. The client has total control over the client side code, so it can be bypassed very easily.

If you read input from outside the server and then output it to a webpage then you must have server side protection from XSS.