This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Abridged XSS Prevention Cheat Sheet

From OWASP
Revision as of 08:00, 1 May 2012 by Jmanico (talk | contribs) (Experimental Minimal Encoding Rules)

Jump to: navigation, search

Introduction

Cross site scripting is the most common web vulnerability. Cross Site Scripting is a dangerous threat since it allows an attacker to trick a victim into executing malicious client-side script in a browser. This cheat sheet is a derivative work of the XSS (Cross Site Scripting) Prevention Cheat Sheet and will assist web developers in eliminating XSS from their applications.

XSS Prevention Safe Contexts

The following snippets of HTML demonstrate how to safely render untrusted data in a variety of different contexts.

Safe HTML Attributes include: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width

XSS Prevention Dangerous Contexts

The following snippets of HTML demonstrate dangerous contexts that developers should always avoid.

How to Output Encode

The purpose of output encoding (as it relates to Cross Site Scripting) is to convert untrusted input into a safe form where the input is displayed as data to the user without executing as code in the browser. The following charts details a list of critical output encoding methods needed to stop Cross Site Scripting.

Encoding Type Encoding Mechanism
HTML Entity Encoding Convert & to &
Convert < to &lt;
Convert > to &gt;
Convert " to &quot;
Convert ' to &#x27;
Convert / to &#x2F;
HTML Attribute Encoding Except for alphanumeric characters, escape all characters with the HTML Entity &#xHH; format, including spaces. (HH = Hex Value)
URL Encoding Standard percent encoding, see: http://www.w3schools.com/tags/ref_urlencode.asp
JavaScript Encoding Except for alphanumeric characters, escape all characters with the \uXXXX unicode escaping format (X = Integer).
CSS Hex Encoding CSS escaping supports \XX and \XXXXXX. Using a two character escape can cause problems if the next character continues the escape sequence. There are two solutions (a) Add a space after the CSS escape (will be ignored by the CSS parser) (b) use the full amount of CSS escaping possible by zero padding the value.

Experimental Minimal Encoding Rules

The following examples demonstrate minimal experiential encoding rules.

Related Articles

OWASP Cheat Sheets Project Homepage


Authors and Primary Editors

Jim Manico - jim [at] owasp.org
Jeff Williams - jeff [at] aspectsecurity.com