XSS from webmentions
If you have implemented webmentions on your site, you should be aware of XSS attacks.
Checkmention is an open source app that can send dubious webmentions to your site so you can test how the code handles them.
Node WebMention Test Pinger includes XSS test cases too.
OWASP has a good summary of preventative measures.
You should use a library that only allows allowlisted HTML tags and CSS properties.
- Python: bleach
- Ruby: Sanitize, Loofah or the built-in Rails helper
- Haskell: xss-sanitize (automatically used by microformats2-parser)
Additional browser-based mitigation
If you prefer, this can be hosted somewhere, and used as the "source" for a webmention. Update the in-reply-to tag as appropriate, and ensure that any markup that you extract into your site remains "safe".
verify xss tags are removed