A nice addition to mitigating XSS is to use the Content-Security-Policy header which will stop any javascript from executing except that code that originates on some specific web sites.
Max, I certianly appreciate you posting content like this. It is extremely helpful. I was not aware of the npm sanitizeHtml package which is actually extremely helpful. This also helped me identify a couple of XSS Vulnerabilities in some software I am working on which thanks to you, I have been able to resolve. Kudos and keep up the good work!
Thanks Max great explanation, there is not really a complete guide over such known attacks for frontend devs out there, we highly appreciate your high quality contacts
Hey, are you Maximilian Schwarzmüller? I've taken all your Udemy courses, and they are the BEST! You put a lot of passion and hard work into all your videos, keep going! :)
thank you max for this video i really like your teaching style i have taken up your nodejs,mongodb,react,flutter,angular courses love your dedication, i wish to one day become as good of a developer as you are💕💕
This was the only non liked comment, Yet the only relevant question. Shows how superficial these grifters are If this is here then it's watered down , plain and simple.
Thanx Maxi. Presently I m going thru your node.js complete guide, then after that will go to mongodb complete guide. I request you to make a tutorial guide on web application security and these type of attacks. You are great and wonderful.
that's why enterprises use Angular because it doesn't depend or need any third party packages unlike React and Vue, when u use angular u get full core features for building a high performance web app, from creating UI and manipulating the DOM, to the routing, state management (using observables and services or ngrx) to handling and validating forms and sending http requests and a lot of other feature like translation/internationalization etc... using angular is like using a platform for creating a large web app (or even mobile with ionic), imagine migrating your app which contains a lot of third party packages and one of them contains a malicious code or it breaks or something, this will break the whole app, so relying on third party packages in insecure specially for enterprise solutions, that's why i think Angular is the best frontend framework for enterprises.
I Hope you can make full course about Web Apps Security and all vulnerabilites on web apps Max... i searched it yesterday on Academind's Udemy, but found none about it..
Some of the injection way, they link a javascript file from another site, if you activate the Adblocker you might find it in the console, how can we protect against it please
It's great.Keep making videos like this.Can you make some live demonstration of how an attacker can change javascript and redirects a user to other website.I know how to find these vulnerabilities.But how it is called vulnerability.That's what i want to know
Hi Max. I bought monthly subscription , and now I would ask you "Can I and my friend watch your courses from different devices using this same account simultaniously or this is not the case?"
hello sir i got your blockchain video using python but i am having problem that i can use input() to take input of string in IDLE shel but can't take string input in terminal.pleas help sir.
Sir If we enable same site in http only cookies, you can not steal it using xss, plz guide me if m right!? nd as far as I know modern browsers encrypts header, so man in the middle attack will also fail even if http strip attack applied..
Hey Max, in one of your courses you said that in VueJS you can store access-tokens in localstorage, since VueJS by default prevents XSS attacks. Do modern frameworks do this for me? I still struggle where and how to store the tokens (refresh and access tokens) from my Flask API. Can you or anyone else who knows this help me with this problem?
Great video. In the real world, would there ever be a situation where a script tag is not surrounded by HTML? For example in your todos example it's surrounded by a tag so the script won't run, on a blogging website you could add a script tag to a comment but most of those would be rendered with a or element as well, so in what scenario would it actually run?
yes, we really need to be careful of this innerHTML, as the book Javascript and JQuery by John Duckett has already told multiple times not to use it. Really a mind opener. Frameworks like react does really a great job for securing things.
![Lp. Сердце Вселенной #60 РОЖДЕНИЕ ЛОЛОЛОШКИ [Финал] • Майнкрафт](http://i.ytimg.com/vi/YoR0pAV9FVQ/mqdefault.jpg)
The only video on youtube that was able to explain XSS well, ty
Thank you max for posting this,expecting more content about security.
On UA-cam? Man i wish
A nice addition to mitigating XSS is to use the Content-Security-Policy header which will stop any javascript from executing except that code that originates on some specific web sites.
Thankyou much for this information. ))
Finally, You're the first one I hear that agrees with me who thinks that 3rd party packages maybe malicious!!
Thanks
You are a great teacher (legend in JS)
Max,
I certianly appreciate you posting content like this. It is extremely helpful. I was not aware of the npm sanitizeHtml package which is actually extremely helpful. This also helped me identify a couple of XSS Vulnerabilities in some software I am working on which thanks to you, I have been able to resolve.
Kudos and keep up the good work!
Like it without thinking if it is worth. Max is here!
Thanks Max. You doing a great job! Your Angular course is legendary!
Great video, if anyone's severing pages from the server with Node helmet blocks all incline code out of the box (options available to make changes).
You're my favourite instructors.
Finally a practical explanation and solution!! Thank you
Thank you max. Looking for more security topics from you 🙂
Thanks Max great explanation, there is not really a complete guide over such known attacks for frontend devs out there, we highly appreciate your high quality contacts
Father of JavaScript 💛🤘🤘🤘
This is great Max, please post more contents like this!
Bro you’re amazing at explaining things and keep your explanations down to earth. Very good skills man 👍🏼
Wow 2 videos at once
Hey, are you Maximilian Schwarzmüller? I've taken all your Udemy courses, and they are the BEST! You put a lot of passion and hard work into all your videos, keep going! :)
Thank you, waiting for the CSRF video!
thank you max for this video i really like your teaching style i have taken up your nodejs,mongodb,react,flutter,angular courses love your dedication, i wish to one day become as good of a developer as you are💕💕
You are an inspiration to me.
Like the way you explain concepts with 💯 clarity.
Great as always, please make more security videos like this one and thank you
you are amazing instructor
12:45 is there an audit feature in PHP libraries?
This helped me earn a flag - thanks!
Awesome class really helpfull
Which vs code theme you are using?
Good job and very useful as always. Could you explain more about securing back-end such as an API?
This was the only non liked comment,
Yet the only relevant question.
Shows how superficial these grifters are
If this is here then it's watered down , plain and simple.
Thanx Maxi. Presently I m going thru your node.js complete guide, then after that will go to mongodb complete guide. I request you to make a tutorial guide on web application security and these type of attacks. You are great and wonderful.
that's why enterprises use Angular because it doesn't depend or need any third party packages unlike React and Vue, when u use angular u get full core features for building a high performance web app, from creating UI and manipulating the DOM, to the routing, state management (using observables and services or ngrx) to handling and validating forms and sending http requests and a lot of other feature like translation/internationalization etc... using angular is like using a platform for creating a large web app (or even mobile with ionic), imagine migrating your app which contains a lot of third party packages and one of them contains a malicious code or it breaks or something, this will break the whole app, so relying on third party packages in insecure specially for enterprise solutions, that's why i think Angular is the best frontend framework for enterprises.
You are the best teacher in today's web dev! Are you planing to update your course to vue3 or you going to create a new one?
Thank you, I'll update the existing Vue course.
I Hope you can make full course about Web Apps Security and all vulnerabilites on web apps Max... i searched it yesterday on Academind's Udemy, but found none about it..
Got no plans on that at the moment, but never say never :)
Great content quality as always. Thank you, keep it up.
Thanks for sharing. There are millions of malicious behaviors whiches are hard to imagine. ..
Sir I Take your Two course from Udemy (For React and Node and Planing To The Express Course)
You are awsome sir
You are Life Chanager
Love From India.
Very nice and well-explained. Thank you very much for this great video.
Where is the video about cookies vs localstorage ?
i literally love your videos bro :))
great explanation much love
Can we also use innerContent, instead of innerHTML; to what extent will that help?
I had the same doubt
Thankg u.
9:00
Very few code youtubers describe how to defend against these kind of things.
People who deploy websites need dis thgx
Some of the injection way, they link a javascript file from another site, if you activate the Adblocker you might find it in the console, how can we protect against it please
That's why we have to add toString() to every text field
It's great.Keep making videos like this.Can you make some live demonstration of how an attacker can change javascript and redirects a user to other website.I know how to find these vulnerabilities.But how it is called vulnerability.That's what i want to know
That made me self conscious about all the open tabs I have..
i got a popup saying xxs attack alert or something. do i have to worry?
now that's what I really want to know thank you.
Thank you for the tips Max.
Hi Max. I bought monthly subscription , and now I would ask you "Can I and my friend watch your courses from different devices using this same account simultaniously or this is not the case?"
That was a great video Max, thank you!
If you are doing something serious, subscribe to this channel. Worth to be mentioned.
Thats a great one, I loved it, Can you please make videos on all types of attacks, like DDos.. etc
Really informative!
But isn't this easily solved by placeholders and htmlentities?
thats client side editable
Thanks for sharing.Really helpful❤
Thanks Max ; it was helpful!!
Great explanation. Thanks for sharing!
hello sir i got your blockchain video using python but i am having problem that i can use input() to take input of string in IDLE shel but can't take string input in terminal.pleas help sir.
Thanks u for more information sir
wow thanks a lot that's a really useful thing to know when building some websites=)) thanks again!
Sir If we enable same site in http only cookies, you can not steal it using xss, plz guide me if m right!? nd as far as I know modern browsers encrypts header, so man in the middle attack will also fail even if http strip attack applied..
Xss confuses me. Will the hacker need to hijack the server first, before injecting the script?
Which framework are you using for running JavaScript files here?...plz reply asap
Brilliant!! That's really helpful, thanks a lot.
Max,any plan on web security topics ?
Hey Max, in one of your courses you said that in VueJS you can store access-tokens in localstorage, since VueJS by default prevents XSS attacks. Do modern frameworks do this for me? I still struggle where and how to store the tokens (refresh and access tokens) from my Flask API. Can you or anyone else who knows this help me with this problem?
Yes, modern frameworks include preventive mechanism against XSS. You can store access tokens in localstorage.
Great video. In the real world, would there ever be a situation where a script tag is not surrounded by HTML? For example in your todos example it's surrounded by a tag so the script won't run, on a blogging website you could add a script tag to a comment but most of those would be rendered with a or element as well, so in what scenario would it actually run?
Please make a video about CSRF
correct me if i am wrong prop types in react are also used for sanitizing the input right!!
Hey Max, can you suggest some tools to detect these types of attacks.
Awesome as usual.
Thanks for this info topics tq so much this kind of topics are very rare
2020 react vs flutter which one should be learned in this lockdown for future (1-1.5 years to apply for job)
Very useful content.
Thanks for sharing.
Great content, please consider making Ethical Hacking and Cybersecurity course!
I shared the post securely.
Thanks for sharing your knowledge
I was attacked before, what are the options to defend against attack?
I like it very much please do more
I really wish you did a course on Kubernetes.
Interesting video. Thanks you
Great explanation!!
Is there a way to get the Academind pro membership without a credit card? I'd love to become a pro member but I really don't like credit cards😅
Sorry but this is not possible at the moment.
yes, we really need to be careful of this innerHTML, as the book Javascript and JQuery by John Duckett has already told multiple times not to use it. Really a mind opener. Frameworks like react does really a great job for securing things.
You are a great person 😊 bro
Can u help me on hw to handle in jquery library please
Can you please do a sperate video on web application security in detail
Thank you so much for the video
Thank you for content.
Thanks techer
Xss attack in innerHTML : dev.to/caffiendkitten/innerhtml-cross-site-scripting-agc
Is the video a part of a course or is it just an enticing video?
It's just a single video.
I can just do a quick run through of user data and change all " ' / { [ ... etc. to special characters in HTML.
Thank you!
PHP. htmlspecialchars(). That's it.
amazing. always quality
Its too important vedio !! ❤
Thanks
Dude you r god
My friend found one for my school testing site lmaooo
alert("Thanks!");
Can csrf token do the trick?