|
|
| (81 intermediate revisions by 3 users not shown) |
| Line 1: |
Line 1: |
| − | = XSS Prevention Overview =
| + | #redirect [[XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet]] |
| − | | |
| − | {| class="wikitable"
| |
| − | |-
| |
| − | ! Data Type
| |
| − | ! Context
| |
| − | ! Code Sample
| |
| − | ! Defense
| |
| − | |-
| |
| − | | String
| |
| − | | HTML Body
| |
| − | | <span><span style="color:red;">UNTRUSTED DATA</span></span>
| |
| − | | <ul><li>[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content HTML Entity Encoding]</li></ul>
| |
| − | |-
| |
| − | | String
| |
| − | | "safe" HTML Attributes
| |
| − | | <input type="text" name="fname" value="<span style="color:red;">UNTRUSTED DATA</span>">
| |
| − | | <ul><li>[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.232_-_Attribute_Escape_Before_Inserting_Untrusted_Data_into_HTML_Common_Attributes Aggressive HTML Entity Encoding]</li><li>Avoid placing untrusted data in an ID attribute (it can influence the DOM even when escaped)</li><li>Only place untrusted data into a whitelist of safe attributes</li><li>Strictly validate unsafe attributes such as background, id and name.</ul>
| |
| − | |-
| |
| − | | String
| |
| − | | GET Parameter
| |
| − | | <a href="/site/search?value=<span style="color:red;">UNTRUSTED DATA</span>">clickme</a>
| |
| − | | <ul><li>[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.235_-_URL_Escape_Before_Inserting_Untrusted_Data_into_HTML_URL_Parameter_Values URL Encoding]</li></ul>
| |
| − | |-
| |
| − | | String
| |
| − | | Untrusted URL rendered in an HREF tag<br/>(or other HTML link context)
| |
| − | | <a href="<span style="color:red;">UNTRUSTED DATA</span>">clickme</a><br/><iframe src="<span style="color:red;">UNTRUSTED DATA</span>" />
| |
| − | | <ul><li>Cannonicalize input</li><li>URL Validation</li><li>Safe URL verification</li><li>Whitelist http and https URL's only</li><li>Attribute encoder</li></ul>
| |
| − | |-
| |
| − | | String
| |
| − | | CSS
| |
| − | | <div style="width: <span style="color:red;">UNTRUSTED DATA</span>;">Selection</div>
| |
| − | | <ul><li>[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.234_-_CSS_Escape_And_Strictly_Validate_Before_Inserting_Untrusted_Data_into_HTML_Style_Property_Values Strict structural validation]<li>CSS Hex encoding<li>good design of CSS Features</ul>
| |
| − | |-
| |
| − | | String
| |
| − | | JavaScript
| |
| − | | <script>var currentValue='<span style="color:red;">UNTRUSTED DATA</span>';</script>
| |
| − | | <ul><li>Ensure JavaScript variables are quoted</li><li>JavaScript Hex Encoding</li><li>JavaScript Unicode Encoding</li><li>Avoid backslash encoding (\" or \' or \\)</li></ul>
| |
| − | |-
| |
| − | | String
| |
| − | | HTML Comment
| |
| − | | <!-- <span style="color:red;">UNTRUSTED DATA</span>-->
| |
| − | | TODO
| |
| − | |-
| |
| − | | String
| |
| − | | JavaScript Comment
| |
| − | | /*<br/><span style="color:red;">UNTRUSTED DATA</span><br/>*/
| |
| − | | TODO
| |
| − | |-
| |
| − | | HTML Text
| |
| − | | HTML Body
| |
| − | | <span><span style="color:red;">UNTRUSTED HTML</span></span>
| |
| − | | <ul><li>[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.236_-_Use_an_HTML_Policy_engine_to_validate_or_clean_user-driven_HTML_in_an_outbound_way HTML Validation (JSoup, AntiSamy, HTML Sanitizer)]</li></ul>
| |
| − | |-
| |
| − | | String
| |
| − | | DOM XSS
| |
| − | | TODO
| |
| − | | <ul><li>[[DOM based XSS Prevention Cheat Sheet]]</li></ul>
| |
| − | |-
| |
| − | | String
| |
| − | | AJAX/JSON Parsing
| |
| − | | TODO
| |
| − | | <ul><li>Use JSON.parse or json2.js library to parse JSON</li><li>Avoid parsing JSON with eval()</li></ul>
| |
| − | |-
| |
| − | | String
| |
| − | | AJAX/XML Parsing
| |
| − | | TODO
| |
| − | | TODO
| |
| − | |}
| |
