_CORE
Services
AI & Agentic Systems Core Information Systems Cloud & Platform Engineering Data Platform & Integration Security & Compliance QA, Testing & Observability IoT, Automation & Robotics Mobile & Digital
Industries
Banking & Finance Insurance Public Administration Defense & Security Healthcare Energy & Utilities Telco & Media Manufacturing Logistics & E-commerce Retail & Loyalty
References Technologies
Lab
Blog Know-how Tools
About Collaboration Careers
Language
CS EN
Let's talk

XSS prevence — Cross-Site Scripting ochrana

15. 02. 2019 1 min read intermediate

Cross-Site Scripting umožňuje útočníkovi spustit JavaScript v prohlížeči oběti. Krádež session, phishing — XSS je třetí nejčastější zranitelnost.

Types XSS

  • Stored XSS: Skript uložen v databázi
  • Reflected XSS: Skript v URL parametru
  • DOM-based XSS: JavaScript zpracuje nedůvěryhodná data

Output encoding

// React — automatický escaping function Comment({ text }) { return

{text}

; // ✅ React escapuje automaticky } // Python Jinja2 — autoescape default ve Flask env = Environment(autoescape=True)

Content Security Policy

Content-Security-Policy: default-src ‘self’; script-src ‘self’ ‘nonce-abc123’; style-src ‘self’ ‘unsafe-inline’; frame-ancestors ‘none’;

Sanitizace HTML

// DOMPurify import DOMPurify from ‘dompurify’; const clean = DOMPurify.sanitize(dirty);

Python bleach

import bleach clean = bleach.clean(dirty, tags=[‘p’,’b’,’i’,’a’])

Key Takeaway

Encoding výstupu + CSP + HttpOnly cookies = spolehlivá ochrana proti XSS.

securityxssjavascriptcsp
Share:

CORE SYSTEMS tým

Stavíme core systémy a AI agenty, které drží provoz. 15 let zkušeností s enterprise IT.

Všechny články

Další know-how

Content Security Policy (CSP) — A Practical Guide

CSP header pro ochranu proti XSS. Direktivy, nonce, reporting.

Deno 2 pro enterprise — secure runtime a JSR ekosystém

Deno 2 in the enterprise: a security-first approach, Node.js compatibility, JSR registry, the Fresh framework and...

Backbone.js — finally structured JavaScript

Backbone.js brings Models, Views and Collections to frontend JavaScript. How to organize a growing client-side codebase.