RESEARCH ON THE EFFECTIVENESS OF SANITIZATION LIBRARIES FOR XSS ATTACKS IN WEB APPLICATIONS
DOI:
https://doi.org/10.28925/2663-4023.2025.31.1076Keywords:
XSS attacks, cross-site scripting, web security, data sanitization, Content Security Policy, input validation, DOM-based XSS, cybersecurity, web application protection.Abstract
Cross-Site Scripting (XSS) attacks remain one of the most prevalent and critical vulnerabilities in modern web applications, as they allow attackers to execute arbitrary malicious code in the user’s browser, compromising confidentiality, integrity, and availability of data. One of the key approaches to mitigating XSS is the use of sanitization libraries designed to clean or safely transform user input before it is processed and rendered. This article presents a comprehensive experimental study of the effectiveness of popular HTML sanitization libraries in the context of protecting web applications against XSS attacks. A specialized dataset of 100 unique XSS vectors is proposed and utilized, covering both classical attack scenarios (script tags, event handlers) and modern, less obvious techniques, including CSS injections, SVG-based vectors, DOM clobbering, encoded payloads, and abuse of contemporary browser APIs. To conduct the experiments, an automated testing framework based on Node.js and browser emulation tools was developed, enabling realistic reproduction of malicious code execution conditions. A comparative analysis of DOMPurify, js-xss, sanitize-html, and OWASP Java HTML Sanitizer was performed using their default configurations and evaluated according to XSS blocking rate, performance, and memory consumption, as well as through a multi-criteria assessment considering security, maintainability, and practical applicability. The experimental results demonstrate that none of the analyzed libraries provides complete out-of-the-box protection, while a common weakness across all solutions is vulnerability to DOM clobbering and encoded attack vectors. Based on the findings, practical recommendations are formulated regarding the configuration and deployment of sanitization libraries as part of a defense-in-depth strategy for modern web applications.
Downloads
References
Weinberger, J., Saxena, P., Akhawe, D., Finifter, M., Shin, R. & D. Song (2011). An Empirical Analysis of XSS Sanitization in Web Application Frameworks. Technical Report No. UCB/EECS-2011-11. Electrical Engineering and Computer Sciences University of California at Berkeley.
K. Patil, D., & R. Patil, K. (2015). Client-side Automated Sanitizer for Cross-Site Scripting Vulnerabilities. Int. J. Comput. Appl., 121(20), 1–8. https://doi.org/10.5120/21653-5063
Hydara, I., Sultan, A., Zulzalil, H., & Admodisastro, N. (2015). Current State of Research on Cross-Site Scripting (XSS) – A Systematic Literature Review. Inf. Softw. Technol., 58, 170–186. https://doi.org/10.1016/j.infsof.2014.07.010
Hannousse, A., Yahiouche, S., & Nait-Hamoud, M. (2024). Twenty-Two Years since Revealing Cross-Site Scripting Attacks: A Systematic Mapping and a Comprehensive Survey. Comput. Sci. Rev., 52, 100634. https://doi.org/10.1016/j.cosrev.2024.100634
Talib, N., & Doh, K. (2021). Assessment of Dynamic Open-Source Cross-Site Scripting Filters for Web Application. KSII Trans. Internet Inf. Syst., 15, 3750–3770. https://doi.org/10.3837/tiis.2021.10.015
Shar, L. K., & Tan, H. B. K. (2012). Automated Removal of Cross Site Scripting Vulnerabilities in Web Applications. Inf. Softw. Technol., 54(5), 467–478. https://doi.org/10.1016/j.infsof.2011.12.006
Gupta, S., & Gupta, B. B. (2015). XSS-SAFE: A Server-Side Approach to Detect and Mitigate Cross-Site Scripting (XSS) Attacks in JavaScript Code. Arab. J. Sci. Eng., 41(3), 897–920. https://doi.org/10.1007/s13369-015-1891-7
Tadhani, J. R., Vekariya, V., Sorathiya, V., Alshathri, S., & El-Shafai, W. (2024). Securing Web Applications against XSS and SQLi Attacks using a Novel Deep Learning Approach. Sci. Rep., 14(1). https://doi.org/10.1038/s41598-023-48845-4
Ibrahim Khalaf, O., Sokiyna, M., Alotaibi, Y., Alsufyani, A., & Alghamdi, S. (2021). Web Attack Detection Using the Input Validation Method: DPDA Theory. Comp. Material. Continua, 68(3), 3167–3184. https://doi.org/10.32604/cmc.2021.016099
Oshoiribhor, E., & John-Otumu, A. (2025). XSS-Net: An Intelligent Machine Learning Model for Detecting Cross-Site Scripting (XSS) Attack in Web Application. Machin. Learn. Res., 10(1), 14–24. https://doi.org/10.11648/j.mlr.20251001.12
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Володимир Соколов, Богдан Поліковський, Максим Ворохоб, Олександр Цируль
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
