Reputation: 177
Prevent XSS in Socketio
How does one sanitize output through NodeJS SocketIO?
I basically have a very simple SocketIO chat application that renders messages broadcasted by the server, and I'm trying to figure out how I could prevent messages such as
<script>...</script>
or other forms of XSS to be injected in the frontend chat.
What I'm doing is basically:
$('#chat').append(message);
I've been told to escape the message on the backend (output) and not on the frontend. Is that correct? If so, how should I escape it? Any node modules?
Upvotes: 0
Views: 816
Answers (1)
Reputation: 4416
Escaping is something you do while outputting to the HTML, and as such nodejs and socket.io is mostly irrelevant. See the OWASP XSS Prevention cheat sheet for different contexts which require different escapings. You appear to be using jQuery. You could use jQuery encoder, or simply something like:
$("<div>").text(message).appendTo("#chat")
Upvotes: 1
Related Questions
- How do you prevent install of "devDependencies" NPM modules for Node.js (package.json)?
- How can I prevent XSS with HTML/PHP?
- How to separate the socketio connection by the path of the URL in my flask chat app
- Best way to handle security and avoid XSS with user entered URLs
- Prevent XSS in NodeJS API output
- NodeJS/SocketIO messages not being delivered reliably
- Secure Node.js chat (avoid XSS)
- Ember Data Model attribute sanitization/escaping to prevent XSS?
- Preventing DOM XSS