An Empirical Analysis of XSS Sanitization in Web Application Frameworks

Filtering or sanitization is the predominant mechanism in today's applications to defend against cross-site scripting (XSS) attacks. XSS sanitization can be difficult to get right as it ties in closely with the parsing behavior of the browser. This paper explains some of the subtleties of ensuring correct sanitization, as well as common pitfalls. The authors study several emerging web application frameworks including those presently used for development of commercial web applications. They evaluate how effective these frameworks are in guarding against the common pitfalls of sanitization. They find that while some web frameworks safeguard against the empirically relevant use cases, most do not. In addition, some of the security features in present web frameworks provide a false sense of security.