检查输入并将其转换为适当的类型以防止XSS

Question

Lets say I get "name" from a user and he enters <script>alert("you got xss!");</script>

But on the server I convert: name= name_from_frontend.toString(); before saving it to db.
Similarly, I check for int using parseInt()
float using parseFloat()
boolean using typeof(variable_name) and so on.

Is there still a need of escaping < , & and other characters as mentioned by OWASP to prevent XSS?

Answer 1

Calling toString() on a string type doesn't help. You probably need to strip evil tags such as script , etc.

Most server-side languages such as python ( https://pypi.python.org/pypi/bleach ), php ( strip_tags() ), etc have function libraries focused on cleanup evil markup so you can safely use that input later.

If you want a JS solution you should check https://www.npmjs.com/package/sanitize-html , which does the job but is intended for use with Node. Example:

clean = sanitizeHtml(dirty, {
  allowedTags: [ 'b', 'i', 'em', 'strong', 'a' ],
  allowedAttributes: {
    'a': [ 'href' ]
  }
});

Answer 2

Enapupe is broadly correct, but the part of his answer which says You probably need to strip evil tags such as script, etc. - is not very clear.

The correct statement would be - You absolutely have to remove XSS using OWASP guidelines , converting to string or not converting to string will not make a difference !