Facing issue while resolving cross site scripting issue

Question

I was preventing my application from cross site scripting defect. I have done the validation part for all the fields present in my application, but I don't know how to prevent this defect if someone injects the code in the url, please help me how to get rid of this defect. Eg: Script:

javascript:alert(document.cookie)

like if we inject the above code in the url we can get the username and the session id after logout.

Please suggest me the solution.

Answer 1

Someone entering javascript:alert(document.cookie) in the address bar is not a vulnerability.

If an attacker put a href in their website linking to javascript:alert(document.cookie) then it would simply show the cookies on the attacker's site.

Only the user can enter the code in their own browser. This is known as Self-XSS.

If this is not what you mean, please update your question with an example of a working URL (you could change your domain to example.com for privacy), and then add a comment to let me know and I'll update my answer to help.

Answer 2

html decoding/encoding cant help in this, I tested this on most of the web application (like Atlassian JIRA, Slack) all were allowing this and it was being printed in html page. This tag will only work i following cases: if it is being printed in href attribute-

<a href="javascript:alert(document.cookie)">Test</a>

in Onclick attribute

<a href=# onclick="javascript:alert(document.cookie)" >test</a>

So make sure that you are not printing anything directly in href or onClick attribute, if you are doing than add any filter there which can manually detect javascript or dont forgot to append http:// before the link.