{"id":13635820,"url":"https://github.com/openresty/xss-nginx-module","last_synced_at":"2025-04-19T04:31:33.938Z","repository":{"id":786292,"uuid":"481928","full_name":"openresty/xss-nginx-module","owner":"openresty","description":"Native support for cross-site scripting (XSS) in an nginx","archived":false,"fork":false,"pushed_at":"2023-11-23T11:42:30.000Z","size":183,"stargazers_count":147,"open_issues_count":5,"forks_count":42,"subscribers_count":25,"default_branch":"master","last_synced_at":"2024-02-13T09:08:46.747Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/openresty.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2010-01-21T09:47:21.000Z","updated_at":"2024-02-11T11:16:47.000Z","dependencies_parsed_at":"2024-01-13T07:24:04.312Z","dependency_job_id":"1b4663b8-6930-4043-a5bc-8c9f3a955201","html_url":"https://github.com/openresty/xss-nginx-module","commit_stats":{"total_commits":84,"total_committers":4,"mean_commits":21.0,"dds":0.08333333333333337,"last_synced_commit":"be9a4c473b76f1cb9898afb47e68e4b677b69025"},"previous_names":[],"tags_count":16,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openresty%2Fxss-nginx-module","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openresty%2Fxss-nginx-module/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openresty%2Fxss-nginx-module/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openresty%2Fxss-nginx-module/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/openresty","download_url":"https://codeload.github.com/openresty/xss-nginx-module/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249606363,"owners_count":21298851,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T00:00:52.491Z","updated_at":"2025-04-19T04:31:33.928Z","avatar_url":"https://github.com/openresty.png","language":"C","funding_links":[],"categories":["Modules","Third Modules","Third Party Modules"],"sub_categories":["C Modules"],"readme":"Name\n====\n\nxss-nginx-module - Native cross-site scripting support in nginx\n\nTable of Contents\n=================\n\n* [Name](#name)\n* [Synopsis](#synopsis)\n* [Description](#description)\n* [Directives](#directives)\n    * [xss_get](#xss_get)\n    * [xss_callback_arg](#xss_callback_arg)\n    * [xss_override_status](#xss_override_status)\n    * [xss_check_status](#xss_check_status)\n    * [xss_input_types](#xss_input_types)\n* [Limitations](#limitations)\n* [Trouble Shooting](#trouble-shooting)\n* [Installation](#installation)\n* [Compatibility](#compatibility)\n* [TODO](#todo)\n* [Author](#author)\n* [Copyright \u0026 License](#copyright--license)\n* [See Also](#see-also)\n\nSynopsis\n========\n\n```nginx\n# accessing /foo?callback=process gives the response\n# body \"process(...);\" (without quotes) where \"...\"\n# is the original response body of the /foo location.\nserver {\n    location /foo {\n        # your content handler goes here...\n\n        xss_get on;\n        xss_callback_arg 'callback';\n        xss_input_types 'application/json'; # default\n        xss_output_type 'application/x-javascript'; # default\n    }\n    ...\n}\n```\n\nDescription\n===========\n\nThis module adds cross-site AJAX support to nginx. Currently only\ncross-site GET is supported. But cross-site POST will be added\nin the future.\n\nThe cross-site GET is currently implemented as JSONP\n(or \"JSON with padding\"). See http://en.wikipedia.org/wiki/JSON#JSONP\nfor more details.\n\nDirectives\n==========\n\n[Back to TOC](#table-of-contents)\n\nxss_get\n-------\n**syntax:** *xss_get on | off*\n\n**default:** *xss_get off*\n\n**context:** *http, server, location, if location*\n\nEnables JSONP support for GET requests.\n\n[Back to TOC](#table-of-contents)\n\nxss_callback_arg\n----------------\n**syntax:** *xss_callback_arg \u0026lt;name\u0026gt;*\n\n**default:** *none*\n\n**context:** *http, http, location, if location*\n\nSpecifies the JavaScript callback function name\nused in the responses.\n\nFor example,\n\n```nginx\nlocation /foo {\n    xss_get on;\n    xss_callback_arg c;\n    ...\n}\n```\n\nthen\n\n```\nGET /foo?c=blah\n```\n\nreturns\n\n```javascript\nblah(...);\n```\n\n[Back to TOC](#table-of-contents)\n\nxss_override_status\n-------------------\n**syntax:** *xss_override_status on | off*\n\n**default:** *xss_check_status on*\n\n**context:** *http, server, location, if location*\n\nSpecifies whether to override 30x, 40x and 50x status to 200\nwhen the response is actually being processed.\n\n[Back to TOC](#table-of-contents)\n\nxss_check_status\n-----------------\n**syntax:** *xss_check_status on | off*\n\n**default:** *xss_check_status on*\n\n**context:** *http, server, location, if location*\n\nBy default, ngx_xss only process responses with the status code\n200 or 201.\n\n[Back to TOC](#table-of-contents)\n\nxss_input_types\n---------------\n**syntax:** *xss_input_types [mime-type]...*\n\n**default:** *xss_input_types application/json*\n\n**context:** *http, server, location, if location*\n\nOnly processes the responses of the specified MIME types.\n\nExample:\n\n```nginx\nxss_input_types application/json text/plain;\n```\n\n[Back to TOC](#table-of-contents)\n\nLimitations\n===========\n\n* ngx_xss will not work with [ngx_echo](https://github.com/openresty/echo-nginx-module)'s\nsubrequest interfaces, due to the underlying\nlimitations imposed by subrequests' \"postponed chain\" mechanism in the nginx core.\nThe standard ngx_addition module also falls into this category.  You're recommended,\nhowever, to use [ngx_lua](https://github.com/openresty/lua-nginx-module) as the content\nhandler to issue subrequests *and* ngx_xss\nto do JSONP, because [ngx_lua](https://github.com/openresty/lua-nginx-module)'s\n[ngx.location.capture()](https://github.com/openresty/lua-nginx-module#ngxlocationcapture)\ninterface does not utilize the \"postponed chain\" mechanism, thus getting out of this\nlimitation. We're taking this approach in production and it works great.\n\n[Back to TOC](#table-of-contents)\n\nTrouble Shooting\n================\n\nUse the \"info\" error log level (or lower) to get more\ndiagnostics when things go wrong.\n\n[Back to TOC](#table-of-contents)\n\nInstallation\n============\n\nYou're recommended to install this module (as well as the Nginx core and many other goodies) via the [OpenResty bundle](http://openresty.org). See [the detailed instructions](http://openresty.org/#Installation) for downloading and installing OpenResty into your system. This is the easiest and most safe way to set things up.\n\nAlternatively, you can install this module manually with the Nginx source:\n\nGrab the nginx source code from [nginx.org](http://nginx.org/), for example,\nthe version 1.13.6 (see [nginx compatibility](#compatibility)), and then build the source with this module:\n\n```bash\n\n $ wget 'http://nginx.org/download/nginx-1.13.6.tar.gz'\n $ tar -xzvf nginx-1.13.6.tar.gz\n $ cd nginx-1.13.6/\n\n # Here we assume you would install you nginx under /opt/nginx/.\n $ ./configure --prefix=/opt/nginx \\\n     --add-module=/path/to/xss-nginx-module\n # Or\n     --add-dynamic-module=../xss-nginx-module\n\n $ make -j2\n $ make install\n```\n\nDownload the latest version of the release tarball of this module from [xss-nginx-module file list](https://github.com/openresty/xss-nginx-module/tags).\n\nAlso, this module is included and enabled by default in the [OpenResty bundle](http://openresty.org).\n\n[Back to TOC](#table-of-contents)\n\nCompatibility\n=============\n\nThe following versions of Nginx should work with this module:\n\n* **1.13.x** (last tested: 1.13.6)\n* **1.12.x**\n* **1.11.x** (last tested: 1.11.2)\n* **1.10.x**\n* **1.9.x** (last tested: 1.9.7)\n* **1.8.x**\n* **1.7.x** (last tested: 1.7.10)\n* **1.6.x**\n* **1.5.x**\n* **1.4.x** (last tested: 1.4.3)\n* **1.2.x** (last tested: 1.2.9)\n* **1.0.x** (last tested: 1.0.10)\n* **0.9.x** (last tested: 0.9.4)\n* **0.8.x** (last tested: 0.8.54)\n* **0.7.x** \u003e= 0.7.30 (last tested: 0.7.67)\n\nEarlier versions of Nginx like 0.6.x and 0.5.x will *not* work.\n\nIf you find that any particular version of Nginx above 0.7.30 does not\nwork with this module, please consider reporting a bug.\n\n[Back to TOC](#table-of-contents)\n\nTODO\n====\n\n* add cross-site POST support.\n\n[Back to TOC](#table-of-contents)\n\nAuthor\n======\n\nYichun \"agentzh\" Zhang (章亦春) \u0026lt;agentzh@gmail@com\u0026gt;\n\n[Back to TOC](#table-of-contents)\n\nCopyright \u0026 License\n===================\n\nThe implementation of the builtin connection pool has borrowed\na lot of code from Maxim Dounin's upstream_keepalive module.\nThis part of code is copyrighted by Maxim Dounin.\n\nThis module is licenced under the BSD license.\n\nCopyright (C) 2009-2018 by Yichun \"agentzh\" Zhang (章亦春) \u0026lt;agentzh@gmail.com\u0026gt; OpenResty Inc.\n\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n* Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n* Redistributions in binary form must reproduce the above copyright\nnotice, this list of conditions and the following disclaimer in the\ndocumentation and/or other materials provided with the distribution.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nHOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED\nTO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR\nPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF\nLIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING\nNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS\nSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n\n[Back to TOC](#table-of-contents)\n\nSee Also\n========\n\n* [Introduction to JSONP](http://en.wikipedia.org/wiki/JSONP)\n* [ngx_lua](https://github.com/openresty/lua-nginx-module)\n\n[Back to TOC](#table-of-contents)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenresty%2Fxss-nginx-module","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopenresty%2Fxss-nginx-module","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenresty%2Fxss-nginx-module/lists"}