Is a website safe from XSS attacks if there's no user-generated content?

Question

I am working at writing a small website that should use an authentication system that requires me to store a token. Storing it in the localStorage would be for me the most convenient option at this stage, but as I understand, this is potentially vulnerable to XSS attacks. Now, the security requirements aren't very strict (no especially sensitive data would be exposed by a successful attack, the login is just used to keep track of who does what while on site), and there should be no user-generated content on the website (no comments or such), and anyway it's all passing through Angular.js. Does that sound like it's reasonably safe to use the localStorage alone, or should I still look into using it next to cookies for added security? Thanks!

Answer 1

If you are not displaying any user content (not even user login to display who is logged in) standard XSS attacks should not be a problem for you.

Hovewer,make sure you are do not have even the simpliest user generated content. If you are displaying some data from some data source this is also something that should not be trusted. If you are for example displaying user login, you should make sure that, login is properly sanitized prior to usage. User login could contain attack code. Angular.js can help you there with the usage of $sanitize. Also be aware that there is always risk of a self-xss.

LocalStorage is good place to use. Hovewer, you should verify that token is safe to use - it may be expired, or invalidated (e.g when your Angular.js application boots, you could verify token by some call to the API).