[WEB SECURITY] Dose use the html escape characters could prevent the XSS attacks?

Jim Manico jim at manico.net
Fri Jun 11 15:59:46 EDT 2010


 > HTML Encode the output when it's displayed back to the user.

Nooo - you mean *contextually encode* your output (which might be CSS 
encoding, JS encoding, etc..)

http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet 
describes non-AJAX/JS encoding contexts well. One of our OWASP 
volunteers is updating the DOM-based XSS material as we speak. :)

- Jim
> I'll agree with Jack and take it one step further.
>
> A) Whitelist your input (Only accept characters that are absolutely 
> essential for the expected data..i.e. you don't need " or < or > for a 
> field that expects a name or zip code...)
>
> B) HTML Encode the output when it's displayed back to the user.
>
> ------------------------------------------------------------------------
> Date: Fri, 11 Jun 2010 12:53:11 -0400
> From: jack.a.mannino at gmail.com
> To: supercodeing35271 at gmail.com
> CC: websecurity at webappsec.org
> Subject: Re: [WEB SECURITY] Dose use the html escape characters could 
> prevent the XSS attacks?
>
> Not entirely.  
>
> Rather than write at length about something that's already been 
> written about in great detail, I'd recommend you read the OWASP XSS 
> Prevention Cheat Sheet.  It answers most of the questions you would 
> likely have at this point.  Here is the link:
>
> http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
>
> -Jack
>
> On Fri, Jun 11, 2010 at 12:27 PM, supercodeing35271 supercodeing35271 
> <supercodeing35271 at gmail.com> wrote:
>
>     I am new in learning the cross-site scripting,i have a query about if
>     we change the input by using the html escape characters(like change
>     '<' into '<'),could it anti the XSS attacks completely?
>
>     ----------------------------------------------------------------------------
>     Join us on IRC: irc.freenode.net #webappsec
>
>     Have a question? Search The Web Security Mailing List Archives:
>     http://www.webappsec.org/lists/websecurity/archive/
>
>     Subscribe via RSS:
>     http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>     To unsubscribe email websecurity-unsubscribe at webappsec.org and
>     reply to
>     the confirmation email
>
>     Join WASC on LinkedIn
>     http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>
> ------------------------------------------------------------------------
> Hotmail is redefining busy with tools for the New Busy. Get more from 
> your inbox. See how. 
> <http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_2>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100611/4452fefb/attachment.html>


More information about the websecurity mailing list