DOM XSS - Documentation
Opened this issue · 5 comments
I think we need to make clear somewhere in the documentation clear that customers need to take additional steps for preventing DOM based XSS when using this library. Current documentation says about how to encode in direct CSS/HTML contexts but does not talk about how to encode when inserting Untrusted Data into HTML Subcontext within the Execution Context.
There are many such examples in [1] and I think its worth it to make a note of it somewhere in the documentation of this document.
Yup, I get that.
I am just thinking that people would assume that using this library properly (ie.., using right encoding function) would help them in mitigating against all sorts of XSS attacks including DOM. In fact, home page [1] says - "This project will help Java web developers defend against Cross Site Scripting!". Even you use all the context sensitive functions correctly, you might still be vulnerable to XSS according to OWASP DOM based prevention wiki as we need to encode for HTML first and then for JS next for few situations. I propose we make this clear either on the homepage.
[1] https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
Assuming the warning is enough, I'm closing this out for now.