xss
Cross-site scripting (abbreviated XSS) is a security vulnerability that makes it possible for anyone to inject client-side JavaScript into web pages using URL query strings, comments, webmentions, etc.
XSS from webmentions
If you have implemented webmentions on your site, you should be aware of XSS attacks.
Checkmention is an open source app that can send dubious webmentions to your site so you can test how the code handles them.
Node WebMention Test Pinger includes XSS test cases too.
Mitigations
OWASP has a good summary of preventative measures.
HTML sanitization
You should use a library that only allows allowlisted HTML tags and CSS properties.
- Python: bleach
- Ruby: Sanitize, Loofah or the built-in Rails helper
- Haskell: xss-sanitize (automatically used by microformats2-parser)
Additional browser-based mitigation
You may send a Content-Security-Policy HTTP header, which works as an allowlist for JavaScript/CSS/iframes/etc. If you have a CSP header that doesn't allow inline scripts and scripts from untrusted domains, the browser won't execute scripts injected via XSS.
If you prefer, this can be hosted somewhere, and used as the "source" for a webmention. Update the in-reply-to tag as appropriate, and ensure that any markup that you extract into your site remains "safe".
verify xss tags are removed
<!DOCTYPE html> <html lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Markup test</title> </head> <body class="h-entry"> <div class="p-in-reply-to h-cite"> <a class="u-url" rel="in-reply-to" href="https://change.me.to/your/target/note.html">this note</a> </div> <p class="p-name entry-title p-summary summary e-content entry-content"> This is hosted on paste.debian.net, without <a rel="tag me" href="javascript:alert('xss-c')">a real tag</a>. </p> <a class="note-published u-url" rel="bookmark" href="javascript:alert('xss-b');"> <time class="dt-published published dt-updated updated" datetime="2013-10-13T13:06:41+00:00">13:06 13<sup>th</sup>October 2013</time> </a> <p class="p-author author h-card vcard"> <img class="u-logo logo u-photo photo" alt="Not an image" src="javascript:alert('xss-a');" /> <a class="p-name fn" href="https://google.com">Not Google</a> <a class="u-url url" href="https://google.com">Not Google</a> </p> </body> </html>