Is it Secure to Use jQuery on the Server-Side for User Input Validation?
I’m considering using jQuery on the server-side (node.js) for validating user input. My goal is to filter tags, remove unnecessary attributes, modify CSS rules, and remove javascript links. However, I’m concerned about the security implications of using jQuery for this purpose.
It is important to note that you need to verify that the HTML is valid before applying any validation. This ensures proper nesting of quotes and tags, as different browsers may use different algorithms to ‘fix’ invalid HTML, resulting in inconsistencies.
Additionally, there is a high risk of adding too many elements to your whitelist. For example, the href
attribute can contain active content such as javascript:
, vbscript:
, and java script:
. These can be used to execute malicious code.
Internet Explorer also has an expression()
function in CSS that can execute JavaScript, further highlighting the need for careful validation.
I strongly recommend using existing libraries for sanitizing user input, such as HTML Purifier. These libraries have been extensively tested and are designed to handle various security vulnerabilities.
It is also important to familiarize yourself with the XSS cheat sheet provided by OWASP, which outlines common attack vectors and evasion techniques.
Lastly, keep in mind that an attack may not always rely on JavaScript. Attackers can inject forms that request sensitive information such as usernames and passwords, bypassing any JavaScript-based validation.