A nice addition to mitigating XSS is to use the Content-Security-Policy header which will stop any javascript from executing except that code that originates on some specific web sites.
Max, I certianly appreciate you posting content like this. It is extremely helpful. I was not aware of the npm sanitizeHtml package which is actually extremely helpful. This also helped me identify a couple of XSS Vulnerabilities in some software I am working on which thanks to you, I have been able to resolve. Kudos and keep up the good work!
Hey, are you Maximilian Schwarzmüller? I've taken all your Udemy courses, and they are the BEST! You put a lot of passion and hard work into all your videos, keep going! :)
Thanks Max great explanation, there is not really a complete guide over such known attacks for frontend devs out there, we highly appreciate your high quality contacts
thank you max for this video i really like your teaching style i have taken up your nodejs,mongodb,react,flutter,angular courses love your dedication, i wish to one day become as good of a developer as you are💕💕
Thanx Maxi. Presently I m going thru your node.js complete guide, then after that will go to mongodb complete guide. I request you to make a tutorial guide on web application security and these type of attacks. You are great and wonderful.
This was the only non liked comment, Yet the only relevant question. Shows how superficial these grifters are If this is here then it's watered down , plain and simple.
Some of the injection way, they link a javascript file from another site, if you activate the Adblocker you might find it in the console, how can we protect against it please
It's great.Keep making videos like this.Can you make some live demonstration of how an attacker can change javascript and redirects a user to other website.I know how to find these vulnerabilities.But how it is called vulnerability.That's what i want to know
hello sir i got your blockchain video using python but i am having problem that i can use input() to take input of string in IDLE shel but can't take string input in terminal.pleas help sir.
Sir If we enable same site in http only cookies, you can not steal it using xss, plz guide me if m right!? nd as far as I know modern browsers encrypts header, so man in the middle attack will also fail even if http strip attack applied..
I Hope you can make full course about Web Apps Security and all vulnerabilites on web apps Max... i searched it yesterday on Academind's Udemy, but found none about it..
Hey Max, in one of your courses you said that in VueJS you can store access-tokens in localstorage, since VueJS by default prevents XSS attacks. Do modern frameworks do this for me? I still struggle where and how to store the tokens (refresh and access tokens) from my Flask API. Can you or anyone else who knows this help me with this problem?
Great video. In the real world, would there ever be a situation where a script tag is not surrounded by HTML? For example in your todos example it's surrounded by a tag so the script won't run, on a blogging website you could add a script tag to a comment but most of those would be rendered with a or element as well, so in what scenario would it actually run?
that's why enterprises use Angular because it doesn't depend or need any third party packages unlike React and Vue, when u use angular u get full core features for building a high performance web app, from creating UI and manipulating the DOM, to the routing, state management (using observables and services or ngrx) to handling and validating forms and sending http requests and a lot of other feature like translation/internationalization etc... using angular is like using a platform for creating a large web app (or even mobile with ionic), imagine migrating your app which contains a lot of third party packages and one of them contains a malicious code or it breaks or something, this will break the whole app, so relying on third party packages in insecure specially for enterprise solutions, that's why i think Angular is the best frontend framework for enterprises.
Hi Max. I bought monthly subscription , and now I would ask you "Can I and my friend watch your courses from different devices using this same account simultaniously or this is not the case?"
yes, we really need to be careful of this innerHTML, as the book Javascript and JQuery by John Duckett has already told multiple times not to use it. Really a mind opener. Frameworks like react does really a great job for securing things.
The only video on youtube that was able to explain XSS well, ty
Thank you max for posting this,expecting more content about security.
On RUclips? Man i wish
Finally, You're the first one I hear that agrees with me who thinks that 3rd party packages maybe malicious!!
A nice addition to mitigating XSS is to use the Content-Security-Policy header which will stop any javascript from executing except that code that originates on some specific web sites.
Thankyou much for this information. ))
Max,
I certianly appreciate you posting content like this. It is extremely helpful. I was not aware of the npm sanitizeHtml package which is actually extremely helpful. This also helped me identify a couple of XSS Vulnerabilities in some software I am working on which thanks to you, I have been able to resolve.
Kudos and keep up the good work!
Thanks
You are a great teacher (legend in JS)
Thanks Max. You doing a great job! Your Angular course is legendary!
Great video, if anyone's severing pages from the server with Node helmet blocks all incline code out of the box (options available to make changes).
Like it without thinking if it is worth. Max is here!
Thank you max. Looking for more security topics from you 🙂
Hey, are you Maximilian Schwarzmüller? I've taken all your Udemy courses, and they are the BEST! You put a lot of passion and hard work into all your videos, keep going! :)
Thanks Max great explanation, there is not really a complete guide over such known attacks for frontend devs out there, we highly appreciate your high quality contacts
thank you max for this video i really like your teaching style i have taken up your nodejs,mongodb,react,flutter,angular courses love your dedication, i wish to one day become as good of a developer as you are💕💕
Bro you’re amazing at explaining things and keep your explanations down to earth. Very good skills man 👍🏼
Finally a practical explanation and solution!! Thank you
Father of JavaScript 💛🤘🤘🤘
You are an inspiration to me.
Like the way you explain concepts with 💯 clarity.
12:45 is there an audit feature in PHP libraries?
This is great Max, please post more contents like this!
You're my favourite instructors.
You are the best teacher in today's web dev! Are you planing to update your course to vue3 or you going to create a new one?
Thank you, I'll update the existing Vue course.
Thank you, waiting for the CSRF video!
Awesome class really helpfull
Great as always, please make more security videos like this one and thank you
you are amazing instructor
Thanx Maxi. Presently I m going thru your node.js complete guide, then after that will go to mongodb complete guide. I request you to make a tutorial guide on web application security and these type of attacks. You are great and wonderful.
Good job and very useful as always. Could you explain more about securing back-end such as an API?
This was the only non liked comment,
Yet the only relevant question.
Shows how superficial these grifters are
If this is here then it's watered down , plain and simple.
Where is the video about cookies vs localstorage ?
Which vs code theme you are using?
This helped me earn a flag - thanks!
Very nice and well-explained. Thank you very much for this great video.
Can we also use innerContent, instead of innerHTML; to what extent will that help?
I had the same doubt
Wow 2 videos at once
Thankg u.
9:00
Very few code youtubers describe how to defend against these kind of things.
People who deploy websites need dis thgx
i literally love your videos bro :))
great explanation much love
Great content quality as always. Thank you, keep it up.
Some of the injection way, they link a javascript file from another site, if you activate the Adblocker you might find it in the console, how can we protect against it please
i got a popup saying xxs attack alert or something. do i have to worry?
It's great.Keep making videos like this.Can you make some live demonstration of how an attacker can change javascript and redirects a user to other website.I know how to find these vulnerabilities.But how it is called vulnerability.That's what i want to know
hello sir i got your blockchain video using python but i am having problem that i can use input() to take input of string in IDLE shel but can't take string input in terminal.pleas help sir.
Awesome as usual.
Thank you for the tips Max.
wow thanks a lot that's a really useful thing to know when building some websites=)) thanks again!
Thanks for sharing.Really helpful❤
Sir If we enable same site in http only cookies, you can not steal it using xss, plz guide me if m right!? nd as far as I know modern browsers encrypts header, so man in the middle attack will also fail even if http strip attack applied..
I Hope you can make full course about Web Apps Security and all vulnerabilites on web apps Max... i searched it yesterday on Academind's Udemy, but found none about it..
Got no plans on that at the moment, but never say never :)
Thanks u for more information sir
Thats a great one, I loved it, Can you please make videos on all types of attacks, like DDos.. etc
Xss confuses me. Will the hacker need to hijack the server first, before injecting the script?
Sir I Take your Two course from Udemy (For React and Node and Planing To The Express Course)
You are awsome sir
You are Life Chanager
Love From India.
correct me if i am wrong prop types in react are also used for sanitizing the input right!!
Thanks Max ; it was helpful!!
Great explanation. Thanks for sharing!
That was a great video Max, thank you!
Thanks for this info topics tq so much this kind of topics are very rare
I was attacked before, what are the options to defend against attack?
Brilliant!! That's really helpful, thanks a lot.
Which framework are you using for running JavaScript files here?...plz reply asap
Great explanation!!
Thanks for sharing. There are millions of malicious behaviors whiches are hard to imagine. ..
I like it very much please do more
Very useful content.
Thanks for sharing.
now that's what I really want to know thank you.
Can u help me on hw to handle in jquery library please
Hey Max, in one of your courses you said that in VueJS you can store access-tokens in localstorage, since VueJS by default prevents XSS attacks. Do modern frameworks do this for me? I still struggle where and how to store the tokens (refresh and access tokens) from my Flask API. Can you or anyone else who knows this help me with this problem?
Yes, modern frameworks include preventive mechanism against XSS. You can store access tokens in localstorage.
Interesting video. Thanks you
amazing. always quality
Please make a video about CSRF
Great video. In the real world, would there ever be a situation where a script tag is not surrounded by HTML? For example in your todos example it's surrounded by a tag so the script won't run, on a blogging website you could add a script tag to a comment but most of those would be rendered with a or element as well, so in what scenario would it actually run?
I shared the post securely.
that's why enterprises use Angular because it doesn't depend or need any third party packages unlike React and Vue, when u use angular u get full core features for building a high performance web app, from creating UI and manipulating the DOM, to the routing, state management (using observables and services or ngrx) to handling and validating forms and sending http requests and a lot of other feature like translation/internationalization etc... using angular is like using a platform for creating a large web app (or even mobile with ionic), imagine migrating your app which contains a lot of third party packages and one of them contains a malicious code or it breaks or something, this will break the whole app, so relying on third party packages in insecure specially for enterprise solutions, that's why i think Angular is the best frontend framework for enterprises.
You are a great person 😊 bro
Max,any plan on web security topics ?
Thanks for sharing your knowledge
Great content, please consider making Ethical Hacking and Cybersecurity course!
2020 react vs flutter which one should be learned in this lockdown for future (1-1.5 years to apply for job)
Thank you for content.
Hey Max, can you suggest some tools to detect these types of attacks.
Hi Max. I bought monthly subscription , and now I would ask you "Can I and my friend watch your courses from different devices using this same account simultaniously or this is not the case?"
Its too important vedio !! ❤
That's why we have to add toString() to every text field
Thank you!
Thank you so much for the video
Is there a way to get the Academind pro membership without a credit card? I'd love to become a pro member but I really don't like credit cards😅
Sorry but this is not possible at the moment.
Really informative!
But isn't this easily solved by placeholders and htmlentities?
thats client side editable
Thanks techer
Dude you r god
Can you please do a sperate video on web application security in detail
wow awesome hints :D
I really wish you did a course on Kubernetes.
That made me self conscious about all the open tabs I have..
If you are doing something serious, subscribe to this channel. Worth to be mentioned.
Can csrf token do the trick?
Thanks
Thanks boss.
Is the video a part of a course or is it just an enticing video?
It's just a single video.
Cool 🔥
Xss attack in innerHTML : dev.to/caffiendkitten/innerhtml-cross-site-scripting-agc
yes, we really need to be careful of this innerHTML, as the book Javascript and JQuery by John Duckett has already told multiple times not to use it. Really a mind opener. Frameworks like react does really a great job for securing things.
I can just do a quick run through of user data and change all " ' / { [ ... etc. to special characters in HTML.