This project is not covered by Drupal’s security advisory policy.
XSS Protection
This is a simple and very useful module to protect your site from XSS attacks.
How it works?
Lot of XSS attacks happen due to script tags being put up in the URL and to execute them hackers use '<', '>'
to enclose tags. We did some extensive testing on few of our production sites using some renowned XSS scanners and it was difficult to plug them all. This simple fix plugged all attacks and it has been months we have seen any XSS alert on any of them
This module is not a replacement for check_plain which is intended to be used wherever possible in open Drupal forms, but a generic url filter to avoid hackers from exploiting URLs. So, we are trying to sanitise cross-site suspicious GET requests here.
It blocks vulnerability attacks by identify patterns in the URLs like '<', '>','%3E', '%3C'
and '%25'
and hence, prevent XSS Vulnerability injection.
How to configure?
- Download this module to
sites/all/modules/contrib
- Enable it:
/admin/modules
- Enable XSS Protection:
/admin/config/system/xssprotection/settings
- Optional: Write custom message to display to user on page
Make sure for all the default URLs in your Drupal site, you are replacing '<', '>','%3E'
and '%3C'
with standard '-'
using Pathauto module.
Project information
- Maintenance fixes only
Considered feature-complete by its maintainers. - Module categories: Security
- 556 sites report using this module
- Created by Nilesh Chhantbar on , updated
- This project is not covered by the security advisory policy.
Use at your own risk! It may have publicly disclosed vulnerabilities.
Releases
Development version: 7.x-1.x-dev updated 20 Aug 2020 at 17:10 UTC