Skip to content

Cleaning input versus not allowing input

I`m working on securing my website against XSS attacks starting with java script. I have read that I can escape user input using < etc.. However I personally would prefer to just not allow user input such as <, “, ‘, .cookies, alert(, etc.. Would there be a security risk in that method?



Yes, there are risks associated with that, but only if that’s the only thing you are doing to protect against XSS. For a user-controlled input there are 3 places where you might consider to add some protection:

  1. Prevent user from typing special characters (or pasting them) prior to sending the data to server
  2. Server rejecting or removing unwanted characters from the input prior to sending it on the response
  3. When the value is eventually displayed to the user, the value should be properly escaped/encoded as HTML

If you do item 1 you must also do item 2 as well, and for good measure you also should do 3 as well. If you choose to just do item 1, then you have made the system even worse because now it becomes more difficult to see the attack vector and test that it works. Real attackers probably wouldn’t use your silly UI to prevent the typed characters, they’ll just go directly to the server and send a request bypassing the UI entirely.

You’re better off just doing it the right way and only implementing item 3. Item 1 and 2 should be done only if the requirements indicate that this field doesn’t accept special characters for other reasons.