XSS Experimental Minimal Encoding Rules

From OWASP
Jump to: navigation, search

The following examples demonstrate experimental minimal encoding rules for XSS prevention.

Context Code Sample Rules
JavaScript, quoted string in a script block <script>alert("Hello "+"<%= UNTRUSTED DATA %>");</script>
  • Use these escapes: \\ \r \n \b \t \f \' \" \/
  • For any other character in range 0..0x19, use hex escapes
  • If using non-Unicode charset, any character above 0x7e, use '\u' encoding
JavaScript, quoted string in an event handler attribute onclick="alert('<%= UNTRUSTED DATA %>')";
  • Use these escapes: \\ \r \n \b \t \f
  • Use hex escapes for these characters: ' " &
  • For any other character in range 0..0x19, use hex escapes
  • If using non-Unicode charset, any character above 0x7e, use '\u' encoding
HTML Body (up to HTML 4.01): <div><%= UNTRUSTED DATA %></div>
  • HTML Entity encode < &
  • specify charset in metatag to avoid UTF7 XSS
XHTML Body: <div><%= UNTRUSTED DATA %></div>
Retrieved from "https://wiki.owasp.org/index.php?title=XSS_Experimental_Minimal_Encoding_Rules&oldid=135930"