Cross-site scripting, or XSS, is one of the most common vulnerabilities within web applications. When an application reflects unsanitized user input from data stores, external systems, or HTTP requests into HTML responses, an attacker can trick the application into executing malicious JavaScript in a victim’s browser. The use of user-controlled elements within insecure JavaScript functions can lead to the same effect.
Our usage of Rails and markup rendering pipelines allows us to escape untrusted data by default during HTML rendering. However, there are always edge cases that could pop up. Read Rails’ security guide about XSS for more specific examples.
We employ various browser features to help mitigate the risk of XSS for our users. For GitHub.com we set Content-Security Policy (CSP) HTTP headers to prevent the execution of arbitrary JavaScript within the github.com
domain. Additionally, we set the X-XSS-Protection
header to instruct the browsers to activate proactive XSS mitigation. To prevent an XSS exploit from compromising user sessions, access to sensitive cookies is disallowed by settings the HTTPOnly
flag.
More about cross-site scripting vulnerabilities from OWASP’s Top 10:
XSS is the most prevalent web application security flaw. XSS flaws occur when an application includes user supplied data in a page sent to the browser without properly validating or escaping that content. There are three known types of XSS flaws: 1) Stored, 2) Reflected, and 3) DOM based XSS.