This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Abridged XSS Prevention Cheat Sheet

From OWASP
Revision as of 11:28, 16 November 2011 by Jmanico (talk | contribs) (XSS Prevention Overview)

Jump to: navigation, search

XSS Prevention Overview

Data Type Context Code Sample Defense
String HTML Body <span>UNTRUSTED DATA</span>
String "safe" HTML Attributes <input type="text" name="fname" value="UNTRUSTED DATA">
  • Aggressive HTML Entity Encoding
  • Avoid placing untrusted data in an ID attribute (it can influence the DOM even when escaped)
  • Only place untrusted data into a whitelist of safe attributes white include: type*, accesskey*, align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, target*, title, usemap, valign, value, vlink, vspace, width
  • Strictly validate unsafe attributes such as background, id and name.
String GET Parameter <a href="/site/search?value=UNTRUSTED DATA">clickme</a>
String Untrusted URL rendered in an HREF tag
(or other HTML link context) 		<a href="UNTRUSTED DATA">clickme</a>
<iframe src="UNTRUSTED DATA" />
  • Cannonicalize input
  • URL Validation
  • Safe URL verification
  • Whitelist http and https URL's only
  • Attribute encoder
String CSS <div style="width: UNTRUSTED DATA;">Selection</div>
String JavaScript <script>var currentValue='UNTRUSTED DATA';</script>
  • Ensure JavaScript variables are quoted
  • JavaScript Hex Encoding
  • JavaScript Unicode Encoding
  • Avoid backslash encoding (\" or \' or \\)
String HTML Comment <!-- UNTRUSTED DATA--> TODO
String JavaScript Comment /*
UNTRUSTED DATA
*/ 		TODO
HTML Text HTML Body <span>UNTRUSTED HTML</span>
String DOM XSS TODO
String AJAX/JSON Parsing TODO
  • Use JSON.parse or json2.js library to parse JSON
  • Avoid parsing JSON with eval()
String AJAX/XML Parsing TODO TODO
Retrieved from "https://wiki.owasp.org/index.php?title=Abridged_XSS_Prevention_Cheat_Sheet&oldid=120284"