Difference between revisions of "Abridged XSS Prevention Cheat Sheet"

Latest revision as of 17:48, 16 September 2012

Redirect to:

XSS (Cross Site Scripting) Prevention Cheat Sheet

@@ Line 1: / Line 1: @@
-= Introduction =
+#redirect [[XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet]]
-The following table briefly describes how to defeat Cross Site Scripting in a variety of different contexts.
-= XSS Prevention =
-{| class="wikitable"
-|-
-! Data Type
-! Context
-! Defense
-|-
-| Numeric, Type safe language
-| Any Context
-| Cast to Numeric
-|-
-| String
-| HTML Body
-| HTML Entity Encoding
-|-
-| String
-| HTML Attribute, quoted
-| HTML Entity Encode single and double quotes
-|-
-| String
-| HTML Attribute, unquoted
-| Aggressive HTML Entity Encoding
-|-
-| String
-| GET Parameter
-| URL Encoding
-|-
-| String
-| Untrusted URL, HREF tag (or equivalent)
-| URL Validation, reject javascript: URL’s, Whitelist http, https and other safe URL types, Attribute encoding, safe URL verification
-|-
-| String
-| CSS
-| [https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.234_-_CSS_Escape_And_Strictly_Validate_Before_Inserting_Untrusted_Data_into_HTML_Style_Property_Values Strict structural validation, CSS Hex encoding, good design]
-|-
-| String
-| HTML Text
-| [https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.236_-_Use_an_HTML_Policy_engine_to_validate_or_clean_user-driven_HTML_in_an_outbound_way HTML Validation (JSoup, AnMSamy, HTML Sanitizer)]
-|-
-| String
-| DOM XSS
-| [[DOM_based XSS Prevention Cheat Sheet]]
-|}
-= Related Articles =
-{{Cheatsheet_Navigation}}
-= Authors and Primary Editors  =
-Jim Manico - jim [at] owasp.org
-[[Category:Cheatsheets]]

Difference between revisions of "Abridged XSS Prevention Cheat Sheet"

Latest revision as of 17:48, 16 September 2012

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools