Looking forward to your pull request! Best wishes!
Yu Xiao Apache ShenYu 王杰 <wangchenmo1...@gmail.com> 于2023年3月5日周日 23:04写道: > > 🗣️Hi, members of the community. > > The topic of this discussion is to avoid XSS cross-site scripting attacks > in Shenyu by providing a general plugin. Please allow me to introduce the > background of XSS cross-site scripting attacks. > > XSS (Cross-Site Scripting) is a common Web application security > vulnerability where an attacker injects malicious code into a Web > application to make it execute in the victim's browser, to steal sensitive > user information or perform malicious operations on the victim's account. > > Usually, both internal and external access should be considered untrusted, > and the same goes for XSS cross-site scripting attacks. We often write > something like an XSSFilter in our code to achieve this effect, but it is > repetitive, reusable, and may need to be updated as attack techniques > evolve, and is not set in stone. > > ☕️I want to write and provide an XSS plugin that offers configurable XSS > attack interception behavior support. > > The ultimate goal of the plugin is to eliminate XSS attack operations by > leveraging Shenyu's plugin capabilities and simple configuration, including > but not limited to the following: > > - Input validation and filtering: For all data input to the web > application, validation and filtering should be performed to prevent > injection of malicious code. For example, regular expressions or filters > can be used to restrict input character sets and content. > - Output encoding: All data output from the web application to the browser > should be HTML or JavaScript encoded to ensure that the browser correctly > interprets them and does not execute them as code. For example, HTML > encoding can be used to convert special characters to entity characters, or > JavaScript encoding can be used to output data as strings. > - HttpOnly cookie: Marking cookies as HttpOnly can prevent browsers from > accessing them through JavaScript, thus preventing XSS attackers from > stealing cookies and performing operations. > - And some future enhanced XSS protection. > > Of course, the strength of its protection should be configurable, like a > browser ad-blocker plug-in, supporting a trade-off between performance and > security. > > 🦻I want to hear from the community! > > If there is more information to be discussed, please feel free to reply to > this email or discuss it in this ISSUE. > > https://github.com/apache/shenyu/issues/4437 > > Best wishes! > > Jie Wang(github:iwangjie)
