|
|
Line 1: |
Line 1: |
− | = <b>Experimental</b> Minimal Encoding Rules =
| + | #redirect [[XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet]] |
− | | |
− | The following examples demonstrate experimental minimal encoding rules for XSS prevention.
| |
− | | |
− | {| class="wikitable nowraplinks"
| |
− | |-
| |
− | ! Context
| |
− | ! Code Sample
| |
− | ! Rules
| |
− | |-
| |
− | | JavaScript, quoted string in a script block
| |
− | | <script>alert("Hello "+"<%= <span style="color:red;">UNTRUSTED DATA</span> %>");</script>
| |
− | | <ul><li>Use these escapes: \\ \r \n \b \t \f \' \" \/</li><li>For any other character in range 0..0x19, use hex escapes</li><li>If using non-Unicode charset, any character above 0x7e, use '\u' encoding</li></ul>
| |
− | |-
| |
− | | JavaScript, quoted string in an event handler attribute
| |
− | | onclick="alert('<%= <span style="color:red;">UNTRUSTED DATA</span> %>')";
| |
− | | <ul><li>Use these escapes: \\ \r \n \b \t \f</li><li>Use hex escapes for these characters: ' " &</li><li>For any other character in range 0..0x19, use hex escapes</li><li>If using non-Unicode charset, any character above 0x7e, use '\u' encoding</li></ul>
| |
− | |-
| |
− | | HTML Body (up to HTML 4.01):
| |
− | | <div><%= <span style="color:red;">UNTRUSTED DATA</span> %></div>
| |
− | | <ul><li>HTML Entity encode < &</li><li>specify charset in metatag to avoid UTF7 XSS</li></ul>
| |
− | |-
| |
− | | <b>X</b>HTML Body:
| |
− | | <div><%= <span style="color:red;">UNTRUSTED DATA</span> %></div>
| |
− | | <ul><li>HTML Entity encode < & ></li><li>limit input to charset http://www.w3.org/TR/2008/REC-xml-20081126/#charsets</li></ul>
| |
− | |-
| |
− | |}
| |