XSS threat protection Patterns

Do we have any other pattern other than "<\s*script\b[^>]*>[^<]+<\s*/\s*script\s*>" to protect against XSS threat?

1 3 1,704
3 REPLIES 3

any updates?

Not applicable

Several patterns can be used. The most restrictive in my experience is the following:

/((\%3C)|<)[^\n]+((\%3E)|>)/I 

We leave it to our customers to balance the performance and security requirements of a particular implementation and of course any suggestion we provide is just that a suggestion that you will need to do your homework on.

The signature above looks for an opening tag of any kind (also checking for a hex equivalent) with a subsequent closing tag (including hex equivalent). It does check for content within the open and close tags.

The false positive rate for this check would be high and hence might be too restrictive. It will catch anything that looks like a script at all.

Not applicable

None of the mentioned regex in this post work for js script injections through the json payload. Although, both work for injections through http headers...

,

none of those regex filter js attacks inserted in the json body requests for rest apis