Is there a way to “stop script” from running using JavaScript?

Question

How can I stop script from execution in JavaScript? In case of cross-site scripting (XSS) attacks, the fundamental requirements are injection + execution of script.

Imagine a scenario where attacker is able to inject JavaScript in a page & our goal is to stop attacker's script from execution. The injection point as an example can be any user-supplied input area.

Answer 1

Always always escape your input. For XSS, use htmlentities() to escape HTML and JS. Here's a good article on PHP Security

http://www.phpfreaks.com/tutorial/php-security

Answer 2

There are basically two things to be careful of when dealing with XSS:

1. Escape your output. Escaping the input just takes more resources for nothing. Escape your user-submitted content output. It also means that non-escaped content is in your database, which is a good thing (in case of false positives you can fix that without losing content, in case of a new XSS policy you don't need to modify all your database, etc).
2. Secure your javascript code. Be very careful not to include some flaw using eval() or something like it.

Answer 3

As others said, the best and easiest way to protect yourself from XSS is validating input and properly escape output depending on the insertion point (HTML, most likely, with entities or JavaScript / CSS blocks -- unlikely and more difficult to properly escape).

However, if your use case is outputting raw user input which is supposed to contain arbitrary HTML and you just want to prevent injected JavaScript to mess with your site, you can either:

1) Frame the content in a different, unique domain (so it cannot share cookies with your main document), eg xyz123.usercontent.com (with xyz123 different for any user) 2) Wait for and/or CSP's sandbox directive to be standardized in every browser you support (and, of course, denying access to uncapable browsers).

Answer 4

Your only solution is to prevent scripts from being injected. There's several things you can do to achieve this:

1. Never trust input from the user. That means form inputs, query string parameters, cookie content, or any other data obtained from an incoming request.
2. Sanitize everything you render, everywhere you render it. I like to achieve this with two clearly-named rendering functions in templates, render and render_unsafe . Rails has a similar interface since 3.0 which sanitizes all template data unless you specifically ask for unsanitized rendering. Having a clearly-named interface will make it easier to keep your templates in check, and ensuring that unsanitized renders are the exception forces you to make a decision every time you dump data into a template.
3. If you must allow the user to run functions directly, always do it through a whitelist. Have them supply a function name or some other identifier as a string and their arguments as JSON or some other parseable construct. Have a look at the design for Shopify's Liquid templating system which uses a similar execution-safe whitelisting pattern.
4. Never trust input from the user . Not ever.