This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Abridged XSS Prevention Cheat Sheet"
m (→XSS Prevention Overview) |
m (→XSS Prevention Overview) |
||
| Line 19: | Line 19: | ||
|- | |- | ||
| String | | String | ||
| − | | | + | | Safe HTML Attributes |
| <input type="text" name="fname" value="<span style="color:red;">UNTRUSTED DATA</span>"> | | <input type="text" name="fname" value="<span style="color:red;">UNTRUSTED DATA</span>"> | ||
| <ul><li>[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.232_-_Attribute_Escape_Before_Inserting_Untrusted_Data_into_HTML_Common_Attributes Aggressive HTML Entity Encoding]</li><li>Only place untrusted data into a whitelist of safe attributes. | | <ul><li>[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.232_-_Attribute_Escape_Before_Inserting_Untrusted_Data_into_HTML_Common_Attributes Aggressive HTML Entity Encoding]</li><li>Only place untrusted data into a whitelist of safe attributes. | ||
| Line 75: | Line 75: | ||
|} | |} | ||
| − | + | '''''Safe HTML Attributes include:''''' align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width</a> | |
= Output Encoding Types = | = Output Encoding Types = | ||
Revision as of 11:43, 16 November 2011
DRAFT CHEAT SHEET - WORK IN PROGRESS
Introduction
Cross site scripting is the most common web vulnerability. It represents a serious threat because cross site scripting allows evil attacker code to run in a victim’s browser. More details about XSS can be found here: https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
XSS Prevention Overview
| Data Type | Context | Code Sample | Defense |
|---|---|---|---|
| String | HTML Body | <span>UNTRUSTED DATA</span> | |
| String | Safe HTML Attributes | <input type="text" name="fname" value="UNTRUSTED DATA"> |
|
| String | GET Parameter | <a href="/site/search?value=UNTRUSTED DATA">clickme</a> | |
| String | Untrusted URL in a SRC or HREF attribute | <a href="UNTRUSTED DATA">clickme</a> <iframe src="UNTRUSTED DATA" /> |
|
| String | CSS | <div style="width: UNTRUSTED DATA;">Selection</div> |
|
| String | JavaScript | <script>var currentValue='UNTRUSTED DATA';</script> |
|
| String | HTML Comment | <!-- UNTRUSTED DATA--> | TODO |
| String | JavaScript Comment | /* UNTRUSTED DATA */ |
TODO |
| HTML Text | HTML Body | <span>UNTRUSTED HTML</span> | |
| String | DOM XSS | TODO | |
| String | AJAX/JSON Parsing | TODO |
|
| String | AJAX/XML Parsing | TODO | TODO |
Safe HTML Attributes include: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width</a>
Output Encoding Types
| Encoding Type | Encoding Mechanism |
|---|---|
| HTML Entity Encoding | & --> & < --> < > --> > " --> " ' --> ' ' is not recommended / --> / forward slash is included as it helps end an HTML entity |
| HTML Attribute Encoding | TODO |
| URL Encoding | TODO |
| JavaScript HEX Encoding | TODO |
| CSS Hex Encoding | TODO |
Related Articles
OWASP Cheat Sheets Project Homepage
Authors and Primary Editors
Jim Manico - jim [at] owasp.org
Jeff Williams - jeff [at] aspectsecurity.com
