Revisiting XSS Sanitization

Explore the vulnerabilities and security challenges of online WYSIWYG editors in this Black Hat conference talk. Discover how to break the top 25 online rich-text editors powering thousands of web applications, including popular ones like TinyMCE, Jive, Froala, and CKEditor. Learn about real-world XSS bypasses on major platforms such as Twitter, Yahoo Email, Amazon, GitHub, Magento, and CNET. After demonstrating these vulnerabilities, gain insights into a practical and effective sanitizer solution based on just 11 characters and 3 regular expressions. Understand how this sanitizer can protect against XSS attacks in various contexts, including HTML, attribute, script (including JSON), style, and URL.

Revisiting XSS Sanitization