How to prevent cross-site-scripting and XSS?

sateesh999, You can use auto-escaping and output formats for XSS in freemarker.

See guides in this link

https://freemarker.apache.org/docs/dgui_misc_autoescaping.html

Thank you, Prashanth.

I will check with the given guides in the below link and let you know if I need any help.

https://freemarker.apache.org/docs/dgui_misc_autoescaping.html

Regards,

Sateesh.

sateesh999 do you have any idea how these messages are posted? TinyMCE does not allow any inline JS eventhandlers, they get stripped... try to post your above code, it doesn't work... but maybe if you get these messages posted via API, they are not sanitized...just a suspicion...

luk ,

Thanks for your response,

No Idea how they are posted the scripts into our community.
we thought that they are injected through the below steps

-go to https://community.xxxxx.com and login

-Then click Start a "New Discussion"

-Now you can see the vulnerable area "Subject " put here XSS payload

"><img src=x onerror=prompt(/abdullah/)>

-And fill other random stuff and Post, And go All forum topics

-XSS executed

===============
And please let me know if they injected via API, Then how can we solve it?

Regards,
Sateesh.

sateesh999 I just tried your steps above and can't reproduce it, the input in the subject field gets HTML encoded, e.g. if I look at the source it is as below:

		<h2 itemprop="name" class="message-subject">
			<span class="lia-message-read">
				
						<a class="page-link lia-link-navigation lia-custom-event" id="link_2" href="/t5/<boardid>/lt-img-src-x-onerror-prompt-alittlexss-gt/td-p/1326">
							&lt;img src=x onerror=prompt(/alittlexss/)&gt;
							
						</a>
					
			</span>
		</h2>

- I posted trough /t5/forums/postpage/choose-node/true, is that the same URL for you where you see the behavior?

- Is your "view all topics" page customized by you, e.g. do you aggregate the topics by yourself via API or are you using out of the box components?

sateesh999 did some more digging into this and came up with another question for you: How you you render/output that "view all topics"-component? Is it custom? And if so, is it rendered via JavaScript (Angular, jQuery, whatever) directly from the JSON of an API response?