Share your craft projects
Make new craft buddies
Ask craft questions
Blog your craft journey
secure-frontend
Cross site scripting defense with output encoding and CSP
XSS defense works best in layers: correct output encoding, sanitization for trusted rich text only, and a restrictive Content-Security-Policy. I avoid storing untrusted HTML unless there is a strong product reason. When rich content is required, I san
by
Kai Nakamura