This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Abridged XSS Prevention Cheat Sheet
Introduction
Cross site scripting is the most common web vulnerability. Cross Site Scripting is a dangerous threat since it allows an attacker to trick a victim into executing malicious client-side script in a browser. This cheat sheet is a derivative work of the XSS (Cross Site Scripting) Prevention Cheat Sheet and will assist web developers in eliminating XSS from their applications.
XSS Prevention Safe Contexts
The following snippets of HTML demonstrate how to safely render untrusted data in a variety of different contexts.
Data Type | Context | Code Sample | Defense |
---|---|---|---|
String | HTML Body | <span>UNTRUSTED DATA</span> | |
String | Safe HTML Attributes | <input type="text" name="fname" value="UNTRUSTED DATA"> |
|
String | GET Parameter | <a href="/site/search?value=UNTRUSTED DATA">clickme</a> | |
String | Untrusted URL in a SRC or HREF attribute | <a href="UNTRUSTED URL">clickme</a> <iframe src="UNTRUSTED URL" /> |
|
String | CSS Value | <div style="width: UNTRUSTED DATA;">Selection</div> |
|
String | JavaScript Variable | <script>var currentValue='UNTRUSTED DATA';</script> <script>someFunction('UNTRUSTED DATA');</script> |
|
HTML | HTML Body | <div>UNTRUSTED HTML</div> | |
JavaScript | HTML Body | <div>UNTRUSTED JAVASCRIPT</div> |
|
String | DOM XSS | TODO | |
String | AJAX/JSON Parsing | JSON.parse(UNTRUSTED JSON DATA) |
|
String | AJAX/XML Parsing | TODO | TODO |
String | Framework Protections | <span>UNTRUSTED DATA</span> |
|
String | Loading HTML fragments using AJAX | TODO |
|
Safe HTML Attributes include: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width
XSS Prevention Dangerous Contexts
The following snippets of HTML demonstrate dangerous contexts that developers should always avoid.
Data Type | Context | Code Sample | Danger |
---|---|---|---|
String | JavaScript eval(), setTimeout(), setInterval() | <script>eval(UNTRUSTED DATA);<script> |
|
String | HTML Comment | <!-- UNTRUSTED DATA --> |
|
String | JavaScript Comment | /* UNTRUSTED DATA */ |
|
How to Output Encode
The purpose of output encoding (as it relates to Cross Site Scripting) is to convert untrusted input into a safe form where the input is displayed as data to the user without executing as code in the browser. The following charts details a list of critical output encoding methods needed to stop Cross Site Scripting.
Encoding Type | Encoding Mechanism |
---|---|
HTML Entity Encoding | Convert & to & Convert < to < Convert > to > Convert " to " Convert ' to ' Convert / to / |
HTML Attribute Encoding | Except for alphanumeric characters, escape all characters with the HTML Entity &#xHH; format, including spaces. (HH = Hex Value) |
URL Encoding | Standard percent encoding, see: http://www.w3schools.com/tags/ref_urlencode.asp |
JavaScript Encoding | Except for alphanumeric characters, escape all characters with the \uXXXX unicode escaping format (X = Integer). |
CSS Hex Encoding | CSS escaping supports \XX and \XXXXXX. Using a two character escape can cause problems if the next character continues the escape sequence. There are two solutions (a) Add a space after the CSS escape (will be ignored by the CSS parser) (b) use the full amount of CSS escaping possible by zero padding the value. |
Experimental Minimal Encoding Rules
The following examples demonstrate minimal experiential encoding rules.
Context | Code Sample | Rules |
---|---|---|
JavaScript, quoted string in a script block | alert("Hello "+"<%= UNTRUSTED DATA %>") |
|
JavaScript, quoted string in an event handler attribute | onclick="alert('<%= UNTRUSTED DATA %>')"; |
|
HTML Body (up to HTML 4.01): | <div><%= UNTRUSTED DATA %></div> |
|
XHTML Body: | <div><%= UNTRUSTED DATA %></div> |
|
Related Articles
OWASP Cheat Sheets Project Homepage
Authors and Primary Editors
Jim Manico - jim [at] owasp.org
Jeff Williams - jeff [at] aspectsecurity.com