├── README.md
└── resource
    └── event_handler.txt


/README.md:
--------------------------------------------------------------------------------
  1 | # can-i-protect-xss
  2 | Everything about xss protection technology
  3 | 
  4 | ## :100: Best practice
  5 | Get and handle only the values that developers can predict.
  6 | 
  7 | e.g 
  8 | ```
  9 | /list?id=1
 10 | /list?id=2
 11 | /list?id=3
 12 | ....
 13 | 
 14 | In this case, only numeric values are required for the id parameter. 
 15 | For these parameters, that you better not to not processing other than type(string, etc..) for avoid multiple vulnerability. 
 16 | It's better not to aim for unnecessary reflection and DOM write.
 17 | ```
 18 | 
 19 | ## :shield: Protection Technic
 20 | ### 1. Escape the Special char
 21 | `&` => `&amp;`<br>
 22 | `"` => `&quot`<br>
 23 | `'` => `&#x27;`<br>
 24 | `<` => `&lt;`<br>
 25 | `>` => `&gt;`<br>
 26 | `/` => `&#x2F;`<br>
 27 | 
 28 | encoding pattern
 29 | - HTML: `&#x3c;`
 30 | - URL: `%3c`
 31 | - Unicode: `\u003c`
 32 | - CSS: `\3c` `\0003c`
 33 | 
 34 | ### 2. If you needs tag?
 35 | filtering xss tags and event handler, dangerous attribute
 36 | - filtering xss tags(running with out eventhandler)
 37 | ```
 38 | <script>
 39 | <iframe>
 40 | <meta>
 41 | <style> 
 42 | ```
 43 | - filtering event handlers(any `on*` pattern)
 44 | any `on*` pattern regex
 45 | ```
 46 | /on*/g
 47 | ```
 48 | 
 49 | `on*` base event handlers. (There may be more, so please verify with the on* pattern)
 50 | ```
 51 | - refer from code in XSpear
 52 | - https://github.com/hahwul/XSpear/blob/master/lib/XSpear.rb
 53 | - If you need an event handler list to develop, refer to the path below.
 54 |  + https://github.com/hahwul/can-i-protect-xss/blob/master/resource/event_handler.txt
 55 | 
 56 |         'onAbort',
 57 |         'onActivate',
 58 |         'onAfterPrint',
 59 |         'onAfterUpdate',
 60 |         'onBeforeActivate',
 61 |         'onBeforeCopy',
 62 |         'onBeforeCut',
 63 |         'onBeforeDeactivate',
 64 |         'onBeforeEditFocus',
 65 |         'onBeforePaste',
 66 |         'onBeforePrint',
 67 |         'onBeforeUnload',
 68 |         'onBeforeUpdate',
 69 |         'onBegin',
 70 |         'onBlur',
 71 |         'onBounce',
 72 |         'onCellChange',
 73 |         'onChange',
 74 |         'onClick',
 75 |         'onContextMenu',
 76 |         'onControlSelect',
 77 |         'onCopy',
 78 |         'onCut',
 79 |         'onDataAvailable',
 80 |         'onDataSetChanged',
 81 |         'onDataSetComplete',
 82 |         'onDblClick',
 83 |         'onDeactivate',
 84 |         'onDrag',
 85 |         'onDragEnd',
 86 |         'onDragLeave',
 87 |         'onDragEnter',
 88 |         'onDragOver',
 89 |         'onDragDrop',
 90 |         'onDragStart',
 91 |         'onDrop',
 92 |         'onEnd',
 93 |         'onError',
 94 |         'onErrorUpdate',
 95 |         'onFilterChange',
 96 |         'onFinish',
 97 |         'onFocus',
 98 |         'onFocusIn',
 99 |         'onFocusOut',
100 |         'onHashChange',
101 |         'onHelp',
102 |         'onInput',
103 |         'onKeyDown',
104 |         'onKeyPress',
105 |         'onKeyUp',
106 |         'onLayoutComplete',
107 |         'onLoad',
108 |         'onloadstart',
109 |         'onLoseCapture',
110 |         'onMediaComplete',
111 |         'onMediaError',
112 |         'onMessage',
113 |         'onMouseDown',
114 |         'onMouseEnter',
115 |         'onMouseLeave',
116 |         'onMouseMove',
117 |         'onMouseOut',
118 |         'onMouseOver',
119 |         'onMouseUp',
120 |         'onMouseWheel',
121 |         'onMove',
122 |         'onMoveEnd',
123 |         'onMoveStart',
124 |         'onOffline',
125 |         'onOnline',
126 |         'onOutOfSync',
127 |         'onPaste',
128 |         'onPause',
129 |         'onPopState',
130 |         'onProgress',
131 |         'onPropertyChange',
132 |         'onReadyStateChange',
133 |         'onRedo',
134 |         'onRepeat',
135 |         'onReset',
136 |         'onResize',
137 |         'onResizeEnd',
138 |         'onResizeStart',
139 |         'onResume',
140 |         'onReverse',
141 |         'onRowsEnter',
142 |         'onRowExit',
143 |         'onRowDelete',
144 |         'onRowInserted',
145 |         'onScroll',
146 |         'onSeek',
147 |         'onSelect',
148 |         'onSelectionChange',
149 |         'onSelectStart',
150 |         'onStart',
151 |         'onStop',
152 |         'onStorage',
153 |         'onSyncRestored',
154 |         'onSubmit',
155 |         'onTimeError',
156 |         'onTrackChange',
157 |         'onUndo',
158 |         'onUnload',
159 |         'onURLFlip',
160 |         'ontouchstart',
161 |         'ontouchend',
162 |         'ontouchmove',
163 |         'onafterscriptexecute',
164 |         'onbeforescriptexecute',
165 |         'onpointerover',
166 |         'onpointerdown',
167 |         'onpointerenter',
168 |         'onpointerleave',
169 |         'onpointermove',
170 |         'onpointerout',
171 |         'onpointerup',
172 |         'onloadstart',
173 |         'onloadend'
174 | ```
175 | 
176 | - filtering dangerous attribute
177 | ```
178 | style=""
179 | class=""
180 | id=""
181 | name=""
182 | ```
183 | 
184 | ### Protection on LocalStorage
185 | ```
186 | var content = localStorage.getItem('content') # wost..
187 | var content = XSSProtect(localStorage.getItem('content')) # 
188 | ```
189 | 
190 | ## :nut_and_bolt: Mitigation Technic
191 | ### CSP
192 | ```
193 | Content-Security-Policy: default-src https://google.com
194 | ```
195 | https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
196 | 
197 | ### X-XSS-Protection
198 | ```
199 | X-XSS-Protection: 0
200 | X-XSS-Protection: 1
201 | X-XSS-Protection: 1; mode=block
202 | X-XSS-Protection: 1; report=<reporting-uri>
203 | ```
204 | https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
205 | 
206 | ## :package: Opensource protection library
207 | - ?
208 | 
209 | ## :crossed_swords: Awesome test vector
210 | - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection
211 | - https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
212 | - https://blog.rubiya.kr/index.php/2019/03/28/browsers-xss-filter-bypass-cheat-sheet/
213 | 
214 | ## :shipit: Contributing method
215 | Add issue or send pull request contents. I like collaboration.
216 | 
217 | ## :scroll: Reference
218 | https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html<br>
219 | https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection<br>
220 | https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP<br>
221 | 


--------------------------------------------------------------------------------
/resource/event_handler.txt:
--------------------------------------------------------------------------------
  1 | var arr = [        
  2 |         'onAbort',
  3 |         'onActivate',
  4 |         'onAfterPrint',
  5 |         'onAfterUpdate',
  6 |         'onBeforeActivate',
  7 |         'onBeforeCopy',
  8 |         'onBeforeCut',
  9 |         'onBeforeDeactivate',
 10 |         'onBeforeEditFocus',
 11 |         'onBeforePaste',
 12 |         'onBeforePrint',
 13 |         'onBeforeUnload',
 14 |         'onBeforeUpdate',
 15 |         'onBegin',
 16 |         'onBlur',
 17 |         'onBounce',
 18 |         'onCellChange',
 19 |         'onChange',
 20 |         'onClick',
 21 |         'onContextMenu',
 22 |         'onControlSelect',
 23 |         'onCopy',
 24 |         'onCut',
 25 |         'onDataAvailable',
 26 |         'onDataSetChanged',
 27 |         'onDataSetComplete',
 28 |         'onDblClick',
 29 |         'onDeactivate',
 30 |         'onDrag',
 31 |         'onDragEnd',
 32 |         'onDragLeave',
 33 |         'onDragEnter',
 34 |         'onDragOver',
 35 |         'onDragDrop',
 36 |         'onDragStart',
 37 |         'onDrop',
 38 |         'onEnd',
 39 |         'onError',
 40 |         'onErrorUpdate',
 41 |         'onFilterChange',
 42 |         'onFinish',
 43 |         'onFocus',
 44 |         'onFocusIn',
 45 |         'onFocusOut',
 46 |         'onHashChange',
 47 |         'onHelp',
 48 |         'onInput',
 49 |         'onKeyDown',
 50 |         'onKeyPress',
 51 |         'onKeyUp',
 52 |         'onLayoutComplete',
 53 |         'onLoad',
 54 |         'onloadstart',
 55 |         'onLoseCapture',
 56 |         'onMediaComplete',
 57 |         'onMediaError',
 58 |         'onMessage',
 59 |         'onMouseDown',
 60 |         'onMouseEnter',
 61 |         'onMouseLeave',
 62 |         'onMouseMove',
 63 |         'onMouseOut',
 64 |         'onMouseOver',
 65 |         'onMouseUp',
 66 |         'onMouseWheel',
 67 |         'onMove',
 68 |         'onMoveEnd',
 69 |         'onMoveStart',
 70 |         'onOffline',
 71 |         'onOnline',
 72 |         'onOutOfSync',
 73 |         'onPaste',
 74 |         'onPause',
 75 |         'onPopState',
 76 |         'onProgress',
 77 |         'onPropertyChange',
 78 |         'onReadyStateChange',
 79 |         'onRedo',
 80 |         'onRepeat',
 81 |         'onReset',
 82 |         'onResize',
 83 |         'onResizeEnd',
 84 |         'onResizeStart',
 85 |         'onResume',
 86 |         'onReverse',
 87 |         'onRowsEnter',
 88 |         'onRowExit',
 89 |         'onRowDelete',
 90 |         'onRowInserted',
 91 |         'onScroll',
 92 |         'onSeek',
 93 |         'onSelect',
 94 |         'onSelectionChange',
 95 |         'onSelectStart',
 96 |         'onStart',
 97 |         'onStop',
 98 |         'onStorage',
 99 |         'onSyncRestored',
100 |         'onSubmit',
101 |         'onTimeError',
102 |         'onTrackChange',
103 |         'onUndo',
104 |         'onUnload',
105 |         'onURLFlip',
106 |         'ontouchstart',
107 |         'ontouchend',
108 |         'ontouchmove',
109 |         'onafterscriptexecute',
110 |         'onbeforescriptexecute',
111 |         'onpointerover',
112 |         'onpointerdown',
113 |         'onpointerenter',
114 |         'onpointerleave',
115 |         'onpointermove',
116 |         'onpointerout',
117 |         'onpointerup',
118 |         'onloadstart',
119 |         'onloadend'
120 | ]
121 | 


--------------------------------------------------------------------------------