|
|
| (144 intermediate revisions by 4 users not shown) |
| Line 1: |
Line 1: |
| − | = Introduction =
| + | #redirect [[XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet]] |
| − | | |
| − | The following table briefly describes how to defeat Cross Site Scripting in a variety of different contexts.
| |
| − | | |
| − | = XSS Prevention =
| |
| − | | |
| − | {| class="wikitable"
| |
| − | |-
| |
| − | ! Data Type
| |
| − | ! Context
| |
| − | ! Defense
| |
| − | |-
| |
| − | | Numeric, Type safe language
| |
| − | | Any Context
| |
| − | | Cast to Numeric
| |
| − | |-
| |
| − | | String
| |
| − | | HTML Body
| |
| − | | HTML Entity Encoding
| |
| − | |-
| |
| − | | String
| |
| − | | HTML Attribute, quoted
| |
| − | | HTML Entity Encode single and double quotes
| |
| − | |-
| |
| − | | String
| |
| − | | HTML Attribute, unquoted
| |
| − | | Aggressive HTML Entity Encoding
| |
| − | |-
| |
| − | | String
| |
| − | | GET Parameter
| |
| − | | URL Encoding
| |
| − | |-
| |
| − | | String
| |
| − | | Untrusted URL, HREF tag (or equivalent)
| |
| − | | URL Validation, reject javascript: URL’s, Whitelist http, https and other safe URL types, Attribute encoding, safe URL verification
| |
| − | |-
| |
| − | | String
| |
| − | | CSS
| |
| − | | Strict structural validation, CSS Hex encoding, good design
| |
| − | |-
| |
| − | | String
| |
| − | | HTML Text
| |
| − | | HTML Validation (JSoup, AnMSamy, HTML Sanitizer)
| |
| − | |-
| |
| − | | String
| |
| − | | DOM XSS
| |
| − | | [[DOM_based XSS Prevention Cheat Sheet]]
| |
| − | |}
| |
| − | | |
| − | = Related Articles =
| |
| − | | |
| − | {{Cheatsheet_Navigation}}
| |
| − | | |
| − | = Authors and Primary Editors =
| |
| − | | |
| − | Jim Manico - jim [at] owasp.org
| |
| − | | |
| − | [[Category:Cheatsheets]]
| |
