XSS Filter

Learn how to sanitize messages to prevent a cross-site scripting attack

A client-side script can be injected into the message which can lead to an attack. The XSS Filter Extension helps you to sanitize the messages.

This is applicable only for the Web SDK.


  1. Login to the CometChat Dashboard and select your app..
  2. On the Extensions page simply add the XSS Filter extension.
  3. On the Installed page you can go to Settings and choose to Drop messages with XSS Scripts.

How does it work?

Once the extension has been enabled from the Dashboard, recipients will receive metadata with the filtered message. Here is a sample response:

"@injected": {
  "extensions": {
    "xss-filter": {
      "hasXSS": "yes"|"no",
      "sanitized_message": <message>

If the data is missing, it means that the extension has timed out.


At the recipients' end, from the message object, you can fetch the metadata by calling the getMetadata() method. Using this metadata, you can fetch the sanitized message.

var metadata = message.getMetadata();
if (metadata != null) {
  var injectedObject = metadata["@injected"];
  if (injectedObject != null && injectedObject.hasOwnProperty("extensions")) {
    var extensionsObject = injectedObject["extensions"];
    if (extensionsObject != null &&
      var xssFilterObject = extensionsObject["xss-filter"];
      var hasXSS = xssFilterObject["hasXSS"];
      var sanitized_message = xssFilterObject["sanitized_message"];

As mentioned earlier, the XSS is only possible for the web. So, the mobile platforms do not require you to fetch the sanitized message.

Did this page help you?