This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Abridged XSS Prevention Cheat Sheet
Introduction
Cross site scripting is the most common web vulnerability. It represents a serious threat because cross site scripting allows evil attacker code to run in a victim’s browser. This cheat sheet is a derivative work of the XSS (Cross Site Scripting) Prevention Cheat Sheet.
XSS Prevention
Data Type | Context | Code Sample | Defense |
---|---|---|---|
String | HTML Body | <span>UNTRUSTED DATA</span> | |
String | Safe HTML Attributes | <input type="text" name="fname" value="UNTRUSTED DATA"> |
|
String | GET Parameter | <a href="/site/search?value=UNTRUSTED DATA">clickme</a> | |
String | Untrusted URL in a SRC or HREF attribute | <a href="UNTRUSTED DATA">clickme</a> <iframe src="UNTRUSTED DATA" /> |
|
String | CSS Value | <div style="width: UNTRUSTED DATA;">Selection</div> |
|
String | JavaScript Variable | <script>var currentValue='UNTRUSTED DATA';</script> <script>someFunction('UNTRUSTED DATA');</script> |
|
String | HTML Comment | <!-- UNTRUSTED DATA --> | TODO |
String | JavaScript Comment | /* UNTRUSTED DATA */ |
|
HTML | HTML Body | <div>UNTRUSTED HTML</div> | |
JavaScript | HTML Body | <div>UNTRUSTED JAVASCRIPT</div> |
|
String | DOM XSS | TODO | |
String | AJAX/JSON Parsing | JSON.parse(UNTRUSTED JSON DATA) |
|
String | AJAX/HTML | TODO |
|
String | AJAX/XML Parsing | TODO | TODO |
String | Framework Protections | <span>UNTRUSTED DATA</span> |
|
Safe HTML Attributes include: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width
Output Encoding
The purpose of output encoding (as it relates to Cross Site Scripting) is to convert untrusted input into a safe form where the input is displayed as data to the user without executing as code in the browser. The following charts details a list of critical output encoding methods needed to stop Cross Site Scripting.
Encoding Type | Encoding Mechanism |
---|---|
HTML Entity Encoding | Convert & to & Convert < to < Convert > to > Convert " to " Convert ' to ' Convert / to / |
HTML Attribute Encoding | Except for alphanumeric characters, escape all characters with the HTML Entity &#xHH; format, including spaces. (HH = Hex Value) |
URL Encoding | Standard percent encoding, see: http://www.w3schools.com/tags/ref_urlencode.asp |
JavaScript Encoding | Except for alphanumeric characters, escape all characters with the \uXXXX unicode escaping format (X = Integer). |
CSS Hex Encoding | CSS escaping supports \XX and \XXXXXX. Using a two character escape can cause problems if the next character continues the escape sequence. There are two solutions (a) Add a space after the CSS escape (will be ignored by the CSS parser) (b) use the full amount of CSS escaping possible by zero padding the value. |
Related Articles
OWASP Cheat Sheets Project Homepage
Authors and Primary Editors
Jim Manico - jim [at] owasp.org
Jeff Williams - jeff [at] aspectsecurity.com