XSS from webmentions
If you have implemented webmentions on your site, you should be aware of XSS attacks.
node-webmention-testpinger includes XSS test cases too.
OWASP has a good summary of preventative measures.
You should use a library that only allows whitelisted HTML tags and CSS properties.
- Python: bleach
- Ruby: Sanitize, Loofah or the built-in Rails helper
- Haskell: xss-sanitize (automatically used by microformats2-parser)
Additional browser-based mitigation
If you prefer, this can be hosted somewhere, and used as the "source" for a webmention. Update the in-reply-to tag as appropriate, and ensure that any markup that you extract into your site remains "safe".
verify xss tags are removed