4.2.7. XSS Protection¶
4.2.7.1. HTML Filtering¶
Use some whitelists or blacklists to filter the HTML input by the user to achieve the filtering effect. Tools such as DOMPurify implement XSS protection in this way.
4.2.7.2. X-Frame¶
X-Frame-Options response header has three optional values:
- DENY
Pages cannot be embedded in any iframe or frame
- SAMEORIGIN
The page can only be embedded in an iframe or frame by the page of this site
- ALLOW-FROM
The page allows frame or frame loading
4.2.7.3. XSS Protection Header¶
Browsers based on the Webkit kernel (such as Chrome) have a protection mechanism called XSS auditor in a specific version range. If the browser detects that input containing malicious code is rendered in an HTML document, the rendered malicious code will either Deleted or escaped, malicious code will not be rendered normally.
Whether the browser wants to block this malicious code depends on the browser’s XSS protection settings.
To set the browser’s protection mechanism, you can use the X-XSS-Protection field which has three optional values:
0: Indicates that the XSS protection mechanism of the browser is turned off1: Delete the detected malicious code. If the X-XSS-Protection field is not seen in the response message, then the browser considers that the X-XSS-Protection configuration is 1, which is the default setting of the browser1; mode=block: If malicious code is detected, do not render malicious code
FireFox has no relevant protection mechanism. If protection is required, related plug-ins such as NoScript can be used.