Jmanico: Created page with "The following examples demonstrate experimental minimal encoding rules for XSS prevention. {| class="wikitable nowraplinks" |- ! Context ! Code Sample ! Rules |- | JavaScrip..."

2012-09-16T17:46:25Z

Created page with "The following examples demonstrate experimental minimal encoding rules for XSS prevention. {| class="wikitable nowraplinks" |- ! Context ! Code Sample ! Rules |- | JavaScrip..."

New page

The following examples demonstrate experimental minimal encoding rules for XSS prevention.

{| class="wikitable nowraplinks"
|-
! Context
! Code Sample
! Rules
|-
| JavaScript, quoted string in a script block
| <script>alert("Hello "+"<%= <span style="color:red;">UNTRUSTED DATA</span> %>");</script>
| <ul><li>Use these escapes: \\ \r \n \b \t \f \' \" \/</li><li>For any other character in range 0..0x19, use hex escapes</li><li>If using non-Unicode charset, any character above 0x7e, use '\u' encoding</li></ul>
|-
| JavaScript, quoted string in an event handler attribute
| onclick="alert('<%= <span style="color:red;">UNTRUSTED DATA</span> %>')";
| <ul><li>Use these escapes: \\ \r \n \b \t \f</li><li>Use hex escapes for these characters: ' " &</li><li>For any other character in range 0..0x19, use hex escapes</li><li>If using non-Unicode charset, any character above 0x7e, use '\u' encoding</li></ul>
|-
| HTML Body (up to HTML 4.01):
| <div><%= <span style="color:red;">UNTRUSTED DATA</span> %></div>
| <ul><li>HTML Entity encode < &</li><li>specify charset in metatag to avoid UTF7 XSS</li></ul>
|-
| <b>X</b>HTML Body:
| <div><%= <span style="color:red;">UNTRUSTED DATA</span> %></div>
| <ul><li>HTML Entity encode < & ></li><li>limit input to charset http://www.w3.org/TR/2008/REC-xml-20081126/#charsets</li></ul>
|-
|}

XSS Experimental Minimal Encoding Rules - Revision history

Jmanico: Created page with "The following examples demonstrate experimental minimal encoding rules for XSS prevention. {| class="wikitable nowraplinks" |- ! Context ! Code Sample ! Rules |- | JavaScrip..."