This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "CRV2 ContextEncHTMLAttribute"
(Created page with "'''HTML Attribute Encoding:''' HTML attributes may contain untrusted data. It is important to determine if any ot the HTML attribites on a given page contains data from outsid...") |
|||
| Line 23: | Line 23: | ||
| − | Attribute encoding may be perfromed in a number of ways. | + | Attribute encoding may be perfromed in a number of ways.<br> |
'''HttpUtility.HtmlAttributeEncode''' <br> | '''HttpUtility.HtmlAttributeEncode''' <br> | ||
| − | [http://msdn.microsoft.com/en-us/library/wdek0zbf.aspx | + | [http://msdn.microsoft.com/en-us/library/wdek0zbf.aspx http://msdn.microsoft.com/en-us/library/wdek0zbf.aspx] |
| + | |||
| + | '''OWASP Java Encoder Project''' <br> | ||
| + | [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project https://www.owasp.org/index.php/OWASP_Java_Encoder_Project] | ||
Revision as of 15:10, 3 October 2013
HTML Attribute Encoding: HTML attributes may contain untrusted data. It is important to determine if any ot the HTML attribites on a given page contains data from outside the trust boundary.
Some HTML attributes are considered safeer than others such as
align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width
when reviewing code for XSS we need to look for HTML attributes such as the folloiwng
<input type="text" name="fname" value="UNTRUSTED DATA">
Attacks may take the following format:
"><script>/* bad stuff */</script>
What is Attribute encoding?
HTML attribute encoding replaces a subset of characters that are important to prevent a string of characters from breaking the attribute of an HTML element.
We replace ", &, and < with ", &, and >.
This is because the nature of attributes, the data they contain, and how they are parsed and interpreted by a browser or HTML parser is different than how an HTML document and its elements are read.
Attribute encoding may be perfromed in a number of ways.
HttpUtility.HtmlAttributeEncode
http://msdn.microsoft.com/en-us/library/wdek0zbf.aspx
OWASP Java Encoder Project
OWASP Java Encoder Project https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
