A failed attempt to prevent DOM XSS.
Inspired form Nafeez's work Hookish (http://hookish.skepticfx.com/), I was working on a project called SafeDOM. A library that protects from DOM XSS automatically. It was just an attempt but it failed pathetically because browsers are selfish about standards and JS is mad by nature.
Architecture
- Developer includes SafeDOM.js as the first script that loads in the HTML page.
- SafeDOM.js will hook the common DOM Sources of XSS, whatever data that is coming to the source is passed through a suitable encoding/stripping function before assigning to a variable or writing to an Execution Sink. Simple as that.
Why it failed?
- Browsers are not standard. Not all things works on cross browsers.
- location.href is universally non-redefinable which is a common DOM XSS Source.
- JavaScript is mad by nature - See the below video
Final Thoughts
If you have any alternate ideas on achieving this , do let me know!