Child pages
  • Security: Cross-site Scripting (XSS)
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Cross-Site Scripting (XSS) is an attack to a website where data that contains scripts is executed and malicous code created by one user may be run by another user.

Servoy will sanitize all data that is shown in the WebClient and the NGClient to prevent this in Servoy solutions.


A solution allows a user to register users and has a form for backoffice handling that lists all users.

When the user registers with a name that contains scripting 'John<script>doSomethingBad()</script>Doe', Servoy will not execute the script but will sanitize the data and just show 'John Doe'.

Trusting data as html

In some situations data used in elements contains html that has to be shown as-is.

Only in cases where the source of the html can be fully trusted, an element can be configured to disable santizing.

This is done via the

  • No labels