XSS attack

Cross-site scripting (XSS) attacks bypass client-side security mechanisms imposed by web browsers. These methods use Open Web Application Security Project's (OWASP) Enterprise Security API for encoding. An attacker injects malicious scripts into a web page to access information stored in the browser.

  • Only the following characters are allowed as values for the attribute name in the tag cform: alphanumeric characters, _ (underscore), - (hyphen), : (colon), and . (dot). It prevents stored XSS for the scriptsrc field.

  • The following new encoding methods are added to reduce XSS attack vulnerability: encodeForHTML, encodeForHTMLAttribute, encodeForJavaScript, encodeForCSS, and encodeForURL. Encode the user inputs depending on the contexts. To decode the input string, added a method: canonicalize.