Need to prevent XSS attacks?

Question

I am working on a project that allows a user to customize a web page. Currently, it is possible for this user to add HTML to the page. From my research, it appears that XSS attacks are generally used to hijack sessions / steal cookies. My question is, if visitors are not allowed to add any content to this page, and if the user who customizes the page is the only person able to log in, is it necessary to prevent XSS attacks? My thought is no, because the only cookies available to steal are his or her own.

Answer 1

Maaaybe, since it sounds like you're saying that only User A can see HTML submitted by User A, but you'd still have to be careful, since we're assuming that User A is aware of all data being submitting on his or her behalf. Consider the following attack.

1. Trick User A into visiting my malicious site.
2. Auto-submit a form to your website containing malicious HTML.
3. Redirect User A to your website, where they will see my malicious HTML that steals their cookies and sends them to me.

Maybe you'd be okay if you implemented CSRF protection that prevents me from submitting on the user's behalf, but it's still kinda scary. If users need to be able to use HTML (but they usually don't), consider a tool like HTML Purifier that allows HTML known to be safe but blocks potentially malicious HTML: that way, most legitimate use cases would probably be satisfied, but XSS will be darn near impossible, even if the other security systems fall apart. It's easy to implement, and a small price to pay for that additional level of security.