Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
This project is not covered by Drupal’s security advisory policy.
XSS Protection
This is a simple and very useful module to protect your site from XSS attacks.
How it works?
Lot of XSS attacks happen due to script tags being put up in the URL and to execute them hackers use '<', '>' to enclose tags. We did some extensive testing on few of our production sites using some renowned XSS scanners and it was difficult to plug them all. This simple fix plugged all attacks and it has been months we have seen any XSS alert on any of them
This module is not a replacement for check_plain which is intended to be used wherever possible in open Drupal forms, but a generic url filter to avoid hackers from exploiting URLs. So, we are trying to sanitise cross-site suspicious GET requests here.
It blocks vulnerability attacks by identify patterns in the URLs like '<', '>','%3E', '%3C' and '%25' and hence, prevent XSS Vulnerability injection.
How to configure?
- Download this module to
sites/all/modules/contrib - Enable it:
/admin/modules - Enable XSS Protection:
/admin/config/system/xssprotection/settings - Optional: Write custom message to display to user on page
Make sure for all the default URLs in your Drupal site, you are replacing '<', '>','%3E' and '%3C' with standard '-' using Pathauto module.
Supporting organizations:
Project information
Maintenance fixes only
Considered feature-complete by its maintainers.- Module categories: Security
556 sites report using this module- Created by Nilesh Chhantbar on , updated
This project is not covered by the security advisory policy.
Use at your own risk! It may have publicly disclosed vulnerabilities.
Releases
7.x-1.2
released 20 August 2020
Works with Drupal: 7.x
✓ Recommended by the project’s maintainer.
Development version: 7.x-1.x-dev updated 20 Aug 2020 at 17:10 UTC
