Sending unvalidated data to a web browser can result in the browser executing malicious code. Settings in the configuration can minimize and reduce the exposure to cross-site scripting
Cross-site scripting (XSS) vulnerabilities occur when:
1. Data enters a web application through an untrusted source, most frequently a web request or database.
2. The data is included in dynamic content that is sent to a web user without being validated for malicious code.
The malicious content sent to the web browser often takes the form of a segment of JavaScript, but may also include HTML, Flash or any other type of code that the browser may execute. The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data like cookies or other session information to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user's machine under the guise of the vulnerable site.
Since attacks against XSS vulnerabilities often involve communicating with or redirecting to a malicious site controlled by the attacker, the ability to inject references to content on other domains is integral to many exploits. AntiSamy can be configured to prevent links to external domains, which diminishes the damage an attacker can cause through an XSS attack. However, this protection is only a partial solution and does not address the overall threat posed by XSS vulnerabilities.
Example 1: The following AntiSamy configuration entry allows links to URLs outside of the domain on which the application is running.
<attribute name="href" onInvalid="filterTag">
<regexp-list>
<regexp name="onsiteURL"/>
<regexp name="offsiteURL"/>
</regexp-list>
</attribute>
[1] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A1 Cross Site Scripting (XSS)
[2] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A2 Cross-Site Scripting (XSS)
[3] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A4 Cross Site Scripting
[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3510 CAT I, APP3580 CAT I
[5] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Cross-site Scripting, Content Spoofing
[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 79, CWE ID 82, CWE ID 83, CWE ID 87, CWE ID 692
[7] HTML 4.01 Specification W3
[8] Standards Mapping - SANS Top 25 2010 - (SANS 2010) Insecure Interaction - CWE ID 079
[9] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Insecure Interaction - CWE ID 116
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.1, Requirement 6.5.1
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.7
[13] Standards Mapping - FIPS200 - (FISMA) SI
[14] Understanding Malicious Content Mitigation for Web Developers CERT