xss

From IndieWeb

Cross-site scripting (abbreviated XSS) is a security vulnerability that makes it possible for anyone to inject client-side JavaScript into web pages using URL query strings, comments, webmentions, etc.

XSS from webmentions

If you have implemented webmentions on your site, you should be aware of XSS attacks.

Checkmention is an open source app that can send dubious webmentions to your site so you can test how the code handles them.

Node WebMention Test Pinger includes XSS test cases too.

Mitigations

OWASP has a good summary of preventative measures.

HTML sanitization

You should use a library that only allows allowlisted HTML tags and CSS properties.

Additional browser-based mitigation

You may send a Content-Security-Policy HTTP header, which works as an allowlist for JavaScript/CSS/iframes/etc. If you have a CSP header that doesn't allow inline scripts and scripts from untrusted domains, the browser won't execute scripts injected via XSS.

Test cases for handling webmention-related code

If you prefer, this can be hosted somewhere, and used as the "source" for a webmention. Update the in-reply-to tag as appropriate, and ensure that any markup that you extract into your site remains "safe".


verify xss tags are removed

<!DOCTYPE html>
<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title>Markup test</title>
  </head>
  <body class="h-entry">
    <div class="p-in-reply-to h-cite">
          <a class="u-url" rel="in-reply-to" href="https://change.me.to/your/target/note.html">this note</a>
    </div>

    <p class="p-name entry-title p-summary summary e-content entry-content">
      This is hosted on paste.debian.net, without <a rel="tag me" href="javascript:alert('xss-c')">a real tag</a>.
    </p>
    <a class="note-published u-url"
       rel="bookmark" href="javascript:alert('xss-b');">
	  <time class="dt-published published dt-updated updated" datetime="2013-10-13T13:06:41+00:00">13:06 13<sup>th</sup>October 2013</time>
	</a>

    <p class="p-author author h-card vcard">
      <img class="u-logo logo u-photo photo" alt="Not an image" src="javascript:alert('xss-a');" />
	  <a class="p-name fn" href="https://google.com">Not Google</a> 
	  <a class="u-url url" href="https://google.com">Not Google</a>
	</p>
  </body>
</html>