Revision as of 11:28, 16 November 2011

XSS Prevention Overview

Data Type	Context	Code Sample	Defense
String	HTML Body	<span>UNTRUSTED DATA</span>	HTML Entity Encoding
String	"safe" HTML Attributes	<input type="text" name="fname" value="UNTRUSTED DATA">	Aggressive HTML Entity Encoding Avoid placing untrusted data in an ID attribute (it can influence the DOM even when escaped) Only place untrusted data into a whitelist of safe attributes white include: type, accesskey, align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, target*, title, usemap, valign, value, vlink, vspace, width Strictly validate unsafe attributes such as background, id and name.
String	GET Parameter	<a href="/site/search?value=UNTRUSTED DATA">clickme</a>	URL Encoding
String	Untrusted URL rendered in an HREF tag (or other HTML link context)	<a href="UNTRUSTED DATA">clickme</a> <iframe src="UNTRUSTED DATA" />	Cannonicalize input URL Validation Safe URL verification Whitelist http and https URL's only Attribute encoder
String	CSS	<div style="width: UNTRUSTED DATA;">Selection</div>	Strict structural validation CSS Hex encoding good design of CSS Features
String	JavaScript	<script>var currentValue='UNTRUSTED DATA';</script>	Ensure JavaScript variables are quoted JavaScript Hex Encoding JavaScript Unicode Encoding Avoid backslash encoding (\" or \' or \\)
String	HTML Comment	<!-- UNTRUSTED DATA-->	TODO
String	JavaScript Comment	/* UNTRUSTED DATA */	TODO
HTML Text	HTML Body	<span>UNTRUSTED HTML</span>	HTML Validation (JSoup, AntiSamy, HTML Sanitizer)
String	DOM XSS	TODO	DOM based XSS Prevention Cheat Sheet
String	AJAX/JSON Parsing	TODO	Use JSON.parse or json2.js library to parse JSON Avoid parsing JSON with eval()
String	AJAX/XML Parsing	TODO	TODO

@@ Line 16: / Line 16: @@
 | "safe" HTML Attributes
 | &lt;input type="text" name="fname" value="<span style="color:red;">UNTRUSTED DATA</span>">
-| <ul><li>[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.232_-_Attribute_Escape_Before_Inserting_Untrusted_Data_into_HTML_Common_Attributes Aggressive HTML Entity Encoding]</li><li>Avoid placing untrusted data in an ID attribute (it can influence the DOM even when escaped)</li><li>Only place untrusted data into a whitelist of safe attributes white include: type*,accesskey*,align,alink,alt,bgcolor,border,cellpadding,cellspacing,class,color,cols,colspan,coords,dir,face,height,hspace,ismap,lang,marginheight,marginwidth,multiple,nohref,noresize,noshade,nowrap,ref,rel,rev,rows,rowspan,scrolling,shape,span,summary,tabindex,target*,title,usemap,valign,value,vlink,vspace,width
+| <ul><li>[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.232_-_Attribute_Escape_Before_Inserting_Untrusted_Data_into_HTML_Common_Attributes Aggressive HTML Entity Encoding]</li><li>Avoid placing untrusted data in an ID attribute (it can influence the DOM even when escaped)</li><li>Only place untrusted data into a whitelist of safe attributes white include: type*, accesskey*, align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, target*, title, usemap, valign, value, vlink, vspace, width
 </li><li>Strictly validate unsafe attributes such as background, id and name.</ul>
 |-

Difference between revisions of "Abridged XSS Prevention Cheat Sheet"

Revision as of 11:28, 16 November 2011

XSS Prevention Overview

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools