This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Abridged XSS Prevention Cheat Sheet"

From OWASP
Jump to: navigation, search
m
m (XSS Prevention Overview)
Line 16: Line 16:
 
| "safe" HTML Attributes
 
| "safe" HTML Attributes
 
| &lt;input type="text" name="fname" value="<span style="color:red;">UNTRUSTED DATA</span>">
 
| &lt;input type="text" name="fname" value="<span style="color:red;">UNTRUSTED DATA</span>">
| <ul><li>[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.232_-_Attribute_Escape_Before_Inserting_Untrusted_Data_into_HTML_Common_Attributes Aggressive HTML Entity Encoding]</li><li>Avoid placing untrusted data in an ID attribute (it can influence the DOM even when escaped)</li><li>Only place untrusted data into a whitelist of safe attributes</li><li>Strictly validate unsafe attributes such as background, id and name.</ul>
+
| <ul><li>[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.232_-_Attribute_Escape_Before_Inserting_Untrusted_Data_into_HTML_Common_Attributes Aggressive HTML Entity Encoding]</li><li>Avoid placing untrusted data in an ID attribute (it can influence the DOM even when escaped)</li><li>Only place untrusted data into a whitelist of safe attributes white include: type*,accesskey*,align,alink,alt,bgcolor,border,cellpadding,cellspacing,class,color,cols,colspan,coords,dir,face,height,hspace,ismap,lang,marginheight,marginwidth,multiple,nohref,noresize,noshade,nowrap,ref,rel,rev,rows,rowspan,scrolling,shape,span,summary,tabindex,target*,title,usemap,valign,value,vlink,vspace,width
 +
</li><li>Strictly validate unsafe attributes such as background, id and name.</ul>
 
|-
 
|-
 
| String
 
| String

Revision as of 11:27, 16 November 2011

XSS Prevention Overview

Data Type Context Code Sample Defense
String HTML Body <span>UNTRUSTED DATA</span>
String "safe" HTML Attributes <input type="text" name="fname" value="UNTRUSTED DATA">
  • Aggressive HTML Entity Encoding
  • Avoid placing untrusted data in an ID attribute (it can influence the DOM even when escaped)
  • Only place untrusted data into a whitelist of safe attributes white include: type*,accesskey*,align,alink,alt,bgcolor,border,cellpadding,cellspacing,class,color,cols,colspan,coords,dir,face,height,hspace,ismap,lang,marginheight,marginwidth,multiple,nohref,noresize,noshade,nowrap,ref,rel,rev,rows,rowspan,scrolling,shape,span,summary,tabindex,target*,title,usemap,valign,value,vlink,vspace,width
  • Strictly validate unsafe attributes such as background, id and name.
String GET Parameter <a href="/site/search?value=UNTRUSTED DATA">clickme</a>
String Untrusted URL rendered in an HREF tag
(or other HTML link context) 		<a href="UNTRUSTED DATA">clickme</a>
<iframe src="UNTRUSTED DATA" />
  • Cannonicalize input
  • URL Validation
  • Safe URL verification
  • Whitelist http and https URL's only
  • Attribute encoder
String CSS <div style="width: UNTRUSTED DATA;">Selection</div>
String JavaScript <script>var currentValue='UNTRUSTED DATA';</script>
  • Ensure JavaScript variables are quoted
  • JavaScript Hex Encoding
  • JavaScript Unicode Encoding
  • Avoid backslash encoding (\" or \' or \\)
String HTML Comment <!-- UNTRUSTED DATA--> TODO
String JavaScript Comment /*
UNTRUSTED DATA
*/ 		TODO
HTML Text HTML Body <span>UNTRUSTED HTML</span>
String DOM XSS TODO
String AJAX/JSON Parsing TODO
  • Use JSON.parse or json2.js library to parse JSON
  • Avoid parsing JSON with eval()
String AJAX/XML Parsing TODO TODO
Retrieved from "https://wiki.owasp.org/index.php?title=Abridged_XSS_Prevention_Cheat_Sheet&oldid=120283"