About
This article is about security when writing an application that shows HTML pages.
Because HTML and HTTP are heavily intermixed, this page has also some content of the HTTP security page.
User content / Sanitizing User Input
HTML is a programming language that can download and run script.
Therefore, you should be extremely careful with user-input or HTML content created by your users.
If you:
- accept HTML, you might want to look into using Iframe with sandbox, but security is hard, and that doesn’t seem to be 100%.
- don't accept HTML, you need to sanitize it by:
- escaping all HTML tag
Configuration
- Add a CSRF token for all forms post request
- Add a CSP to define the resources that you accepts
- Add a X-Frame-Options HTTP response header to indicate that a browser should not be allowed to render a page in a frame, iframe, embed or object. More see Web Security - Clickjacking due to opening the style tag