Skip to content

ajinabraham/SafeDOM

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SafeDOM.js
SafeDOM.js
 
 
index.html
index.html
 
 

Repository files navigation

SafeDOM

A failed attempt to prevent DOM XSS.

Inspired form Nafeez's work Hookish (http://hookish.skepticfx.com/), I was working on a project called SafeDOM. A library that protects from DOM XSS automatically. It was just an attempt but it failed pathetically because browsers are selfish about standards and JS is mad by nature.

Architecture

SafeDOM

  1. Developer includes SafeDOM.js as the first script that loads in the HTML page.
  2. SafeDOM.js will hook the common DOM Sources of XSS, whatever data that is coming to the source is passed through a suitable encoding/stripping function before assigning to a variable or writing to an Execution Sink. Simple as that.

Why it failed?

  1. Browsers are not standard. Not all things works on cross browsers.
  2. location.href is universally non-redefinable which is a common DOM XSS Source.
  3. JavaScript is mad by nature - See the below video JavaScript Madness

Final Thoughts

If you have any alternate ideas on achieving this , do let me know!

About

A failed attempt to prevent DOM XSS.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

3 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages