This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Abridged XSS Prevention Cheat Sheet"
From OWASP
m (→XSS Prevention) |
m (→XSS Prevention) |
||
| Line 9: | Line 9: | ||
! Data Type | ! Data Type | ||
! Context | ! Context | ||
| + | ! Code Sample | ||
! Defense | ! Defense | ||
| − | |||
|- | |- | ||
| Numeric, Type safe language | | Numeric, Type safe language | ||
| Any Context | | Any Context | ||
| + | | | ||
| Cast to Numeric | | Cast to Numeric | ||
| − | |||
|- | |- | ||
| String | | String | ||
| HTML Body | | HTML Body | ||
| + | | <span><span style="color:red;">UNTRUSTED DATA</span></span> | ||
| [https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content HTML Entity Encoding] | | [https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content HTML Entity Encoding] | ||
| − | |||
|- | |- | ||
| String | | String | ||
| HTML Attribute, quoted | | HTML Attribute, quoted | ||
| + | | <span id="<span style="color:red;">UNTRUSTED DATA</span>"></span> | ||
| HTML Entity Encode single and double quotes | | HTML Entity Encode single and double quotes | ||
| − | |||
|- | |- | ||
| String | | String | ||
| HTML Attribute, unquoted | | HTML Attribute, unquoted | ||
| + | | <span id=<span style="color:red;">UNTRUSTED DATA</span>></span> | ||
| [https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.232_-_Attribute_Escape_Before_Inserting_Untrusted_Data_into_HTML_Common_Attributes Aggressive HTML Entity Encoding] | | [https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.232_-_Attribute_Escape_Before_Inserting_Untrusted_Data_into_HTML_Common_Attributes Aggressive HTML Entity Encoding] | ||
| − | |||
|- | |- | ||
| String | | String | ||
| GET Parameter | | GET Parameter | ||
| + | | <a href="/site/search?value=<span style="color:red;">UNTRUSTED DATA</span>">clickme</a> | ||
| [https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.235_-_URL_Escape_Before_Inserting_Untrusted_Data_into_HTML_URL_Parameter_Values URL Encoding] | | [https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.235_-_URL_Escape_Before_Inserting_Untrusted_Data_into_HTML_URL_Parameter_Values URL Encoding] | ||
| − | |||
|- | |- | ||
| String | | String | ||
| Untrusted URL rendered in an HREF tag (or equivalent) | | Untrusted URL rendered in an HREF tag (or equivalent) | ||
| + | | <a href="<span style="color:red;">UNTRUSTED DATA</span>">clickme</a> | ||
| URL Validation<br/>reject javascript: URL’s<br/>Whitelist http, https and other safe URL types<br/>Attribute encoding<br/>safe URL verification | | URL Validation<br/>reject javascript: URL’s<br/>Whitelist http, https and other safe URL types<br/>Attribute encoding<br/>safe URL verification | ||
| − | |||
|- | |- | ||
| String | | String | ||
| CSS | | CSS | ||
| + | | <div style="width: <span style="color:red;">UNTRUSTED DATA</span>;">Selection</div> | ||
| [https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.234_-_CSS_Escape_And_Strictly_Validate_Before_Inserting_Untrusted_Data_into_HTML_Style_Property_Values Strict structural validation, CSS Hex encoding, good design] | | [https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.234_-_CSS_Escape_And_Strictly_Validate_Before_Inserting_Untrusted_Data_into_HTML_Style_Property_Values Strict structural validation, CSS Hex encoding, good design] | ||
| − | |||
|- | |- | ||
| HTML Text | | HTML Text | ||
| HTML Body | | HTML Body | ||
| + | | | ||
| [https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.236_-_Use_an_HTML_Policy_engine_to_validate_or_clean_user-driven_HTML_in_an_outbound_way HTML Validation (JSoup, AnMSamy, HTML Sanitizer)] | | [https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.236_-_Use_an_HTML_Policy_engine_to_validate_or_clean_user-driven_HTML_in_an_outbound_way HTML Validation (JSoup, AnMSamy, HTML Sanitizer)] | ||
|- | |- | ||
| String | | String | ||
| DOM XSS | | DOM XSS | ||
| + | | | ||
| [[DOM_based XSS Prevention Cheat Sheet]] | | [[DOM_based XSS Prevention Cheat Sheet]] | ||
|} | |} | ||
Revision as of 08:46, 15 November 2011
Introduction
The following table briefly describes how to defeat Cross Site Scripting in a variety of different contexts.
XSS Prevention
| Data Type | Context | Code Sample | Defense |
|---|---|---|---|
| Numeric, Type safe language | Any Context | Cast to Numeric | |
| String | HTML Body | <span>UNTRUSTED DATA</span> | HTML Entity Encoding |
| String | HTML Attribute, quoted | <span id="UNTRUSTED DATA"></span> | HTML Entity Encode single and double quotes |
| String | HTML Attribute, unquoted | <span id=UNTRUSTED DATA></span> | Aggressive HTML Entity Encoding |
| String | GET Parameter | <a href="/site/search?value=UNTRUSTED DATA">clickme</a> | URL Encoding |
| String | Untrusted URL rendered in an HREF tag (or equivalent) | <a href="UNTRUSTED DATA">clickme</a> | URL Validation reject javascript: URL’s Whitelist http, https and other safe URL types Attribute encoding safe URL verification |
| String | CSS | <div style="width: UNTRUSTED DATA;">Selection</div> | Strict structural validation, CSS Hex encoding, good design |
| HTML Text | HTML Body | HTML Validation (JSoup, AnMSamy, HTML Sanitizer) | |
| String | DOM XSS | DOM_based XSS Prevention Cheat Sheet |
Related Articles
OWASP Cheat Sheets Project Homepage
Authors and Primary Editors
Jim Manico - jim [at] owasp.org
