You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/routes/solid-start/guides/security.mdx
+5-4Lines changed: 5 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,12 +12,14 @@ However, this protection does not apply when using [`innerHTML`](https://docs.so
12
12
To protect your application from XSS attacks:
13
13
14
14
1. Avoid using [`innerHTML`](/reference/jsx-attributes/innerhtml-or-textcontent#innerhtml-or-textcontent) when possible.
15
-
If you must use it, sanitize the content before rendering with libraries such as [DOMPurify](https://github.com/cure53/DOMPurify).
15
+
If necessary, make sure to sanitize user-supplied data with libraries such as [DOMPurify](https://github.com/cure53/DOMPurify).
16
16
2. Validate and sanitize user inputs.
17
17
Always validate form inputs on the server in addition to the client.
18
18
3. Set a Content Security Policy (CSP).
19
+
4. Sanitize attributes containing user-supplied data within `<noscript>` elements.
20
+
This includes both the attributes of the `<noscript>` element itself and its children.
19
21
20
-
We highly recommend you read[Cross Site Scripting Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) for more guidance.
22
+
We highly recommend reading the[Cross Site Scripting Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) for further guidance.
This example demonstrates a basic implementation of CSRF protection that checks for the `Origin` and `Referer` headers and blocks requests that are not from trusted origins.
203
205
In addition, consider implementing a more comprehensive CSRF protection mechanism such as [Double-Submit Cookie Pattern](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#alternative-using-a-double-submit-cookie-pattern).
204
206
205
-
We highly recommend you read [Cross-Site Request Forgery Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html) for more guidance.
206
-
207
+
We highly recommend reading the [Cross-Site Request Forgery Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html) for further guidance.
0 commit comments