Not sure about validation, but Content-Security-Policy is the best tool we have ... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

nom on Oct 7, 2020 | parent | context | favorite | on: DOMPurify bypass: XSS via HTML namespace confusion

Not sure about validation, but Content-Security-Policy is the best tool we have at our disposal right now to prevent XSS - define what content the browser is allowed to load and execute.

I have a feeling it will remain a very manual and diligent process. Be always on top of new techniques and solutions, have a good understanding how everything works in detail and reduce your attack surface by keeping things simple.

yoloClin on Oct 7, 2020 [–]

I agree with CSP, but as I've commented on another thread I recommend CSP _with_ other mitigation factors due to DOM/HTML injection, and browser support.

Join us for AI Startup School this June 16-17 in San Francisco!
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact