xss

 Cross-site scripting  (abbreviated XSS ) is a security vulnerability that makes it possible for anyone to inject client-side JavaScript into web pages using URL query strings, comments, webmentions, etc.

XSS from webmentions
If you have implemented webmentions on your site, you should be aware of XSS attacks.

Checkmention is an open source app that can send dubious webmentions to your site so you can test how the code handles them.

Node WebMention Test Pinger includes XSS test cases too.

Mitigations
OWASP has a good summary of preventative measures.

HTML sanitization
You should use a library that only allows allowlisted HTML tags and CSS properties.


 * Python: bleach
 * Ruby: Sanitize, Loofah or the built-in Rails helper
 * Haskell: xss-sanitize (automatically used by microformats2-parser)

Additional browser-based mitigation
You may send a Content-Security-Policy HTTP header, which works as an allowlist for JavaScript/CSS/iframes/etc. If you have a CSP header that doesn't allow inline scripts and scripts from untrusted domains, the browser won't execute scripts injected via XSS.

Test cases for handling webmention-related code
If you prefer, this can be hosted somewhere, and used as the "source" for a webmention. Update the in-reply-to tag as appropriate, and ensure that any markup that you extract into your site remains "safe".

verify xss tags are removed

<!DOCTYPE html>  Markup test  this note

 This is hosted on paste.debian.net, without a real tag.  13:06 13thOctober 2013 

  Not Google Not Google