XSS防护指南：全面防御跨站脚本攻击的最佳实践与代码示例

xss-prevention by aj-geddes/useful-ai-prompts

145 周安装量

160 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/aj-geddes/useful-ai-prompts --skill xss-prevention

Node.js Web应用安全

🇨🇳中文介绍

XSS 防护

概述

通过输入净化、输出编码、CSP 标头和安全编码实践，实现全面的跨站脚本攻击防护。

使用场景

用户生成内容显示
富文本编辑器
评论系统
搜索功能
动态 HTML 生成
模板渲染

快速开始

最小工作示例：

// xss-prevention.js
const createDOMPurify = require("dompurify");
const { JSDOM } = require("jsdom");
const he = require("he");

const window = new JSDOM("").window;
const DOMPurify = createDOMPurify(window);

class XSSPrevention {
  /**
   * HTML 实体编码 - 对文本内容最安全
   */
  static encodeHTML(str) {
    return he.encode(str, {
      useNamedReferences: true,
      encodeEverything: false,
    });
  }

  /**
   * 净化 HTML - 用于富内容
   */
  static sanitizeHTML(dirty) {
    const config = {
      ALLOWED_TAGS: [
// ... (完整实现请参阅参考指南)

参考指南

references/ 目录下的详细实现：

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

指南	内容
Node.js XSS 防护	Node.js XSS 防护
Python XSS 防护	Python XSS 防护
React XSS 防护	React XSS 防护
内容安全策略	内容安全策略

🇺🇸English

XSS Prevention

Overview
When to Use
Quick Start
Reference Guides
Best Practices

Overview

Implement comprehensive Cross-Site Scripting (XSS) prevention using input sanitization, output encoding, CSP headers, and secure coding practices.

When to Use

User-generated content display
Rich text editors
Comment systems
Search functionality
Dynamic HTML generation
Template rendering

Quick Start

Minimal working example:

// xss-prevention.js
const createDOMPurify = require("dompurify");
const { JSDOM } = require("jsdom");
const he = require("he");

const window = new JSDOM("").window;
const DOMPurify = createDOMPurify(window);

class XSSPrevention {
  /**
   * HTML Entity Encoding - Safest for text content
   */
  static encodeHTML(str) {
    return he.encode(str, {
      useNamedReferences: true,
      encodeEverything: false,
    });
  }

  /**
   * Sanitize HTML - For rich content
   */
  static sanitizeHTML(dirty) {
    const config = {
      ALLOWED_TAGS: [
// ... (see reference guides for full implementation)

Reference Guides

Detailed implementations in the references/ directory:

Guide	Contents
Node.js XSS Prevention	Node.js XSS Prevention
Python XSS Prevention	Python XSS Prevention
React XSS Prevention	React XSS Prevention
Content Security Policy	Content Security Policy

Best Practices

✅ DO

Encode output by default
Use templating engines
Implement CSP headers
Sanitize rich content
Validate URLs
Use HTTPOnly cookies
Regular security testing
Use secure frameworks

❌ DON'T

Trust user input
Use innerHTML directly
Skip output encoding
Allow inline scripts
Use eval()
Mix contexts (HTML/JS)

Weekly Installs

103

Repository

aj-geddes/usefu…-prompts

GitHub Stars

116

First Seen

Jan 21, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

opencode86

gemini-cli85

claude-code83

codex82

cursor78

github-copilot67