🗣️Hi, members of the community. The topic of this discussion is to avoid XSS cross-site scripting attacks in Shenyu by providing a general plugin. Please allow me to introduce the background of XSS cross-site scripting attacks.
XSS (Cross-Site Scripting) is a common Web application security vulnerability where an attacker injects malicious code into a Web application to make it execute in the victim's browser, to steal sensitive user information or perform malicious operations on the victim's account. Usually, both internal and external access should be considered untrusted, and the same goes for XSS cross-site scripting attacks. We often write something like an XSSFilter in our code to achieve this effect, but it is repetitive, reusable, and may need to be updated as attack techniques evolve, and is not set in stone. ☕️I want to write and provide an XSS plugin that offers configurable XSS attack interception behavior support. The ultimate goal of the plugin is to eliminate XSS attack operations by leveraging Shenyu's plugin capabilities and simple configuration, including but not limited to the following: - Input validation and filtering: For all data input to the web application, validation and filtering should be performed to prevent injection of malicious code. For example, regular expressions or filters can be used to restrict input character sets and content. - Output encoding: All data output from the web application to the browser should be HTML or JavaScript encoded to ensure that the browser correctly interprets them and does not execute them as code. For example, HTML encoding can be used to convert special characters to entity characters, or JavaScript encoding can be used to output data as strings. - HttpOnly cookie: Marking cookies as HttpOnly can prevent browsers from accessing them through JavaScript, thus preventing XSS attackers from stealing cookies and performing operations. - And some future enhanced XSS protection. Of course, the strength of its protection should be configurable, like a browser ad-blocker plug-in, supporting a trade-off between performance and security. 🦻I want to hear from the community! If there is more information to be discussed, please feel free to reply to this email or discuss it in this ISSUE. https://github.com/apache/shenyu/issues/4437 Best wishes! Jie Wang(github:iwangjie)
