This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

CRV2 ContextEncHTMLEntity

Revision as of 15:37, 3 October 2013 by EoinKeary (talk | contribs)

Jump to: navigation, search

HTML elements which contain user controlled data or data from untrusted sourced should be reviewed for contextual output encoding. In the case of HTML entities we need to help ensure HTML Entity Encoding is perfromed:

Example HTML Entity containing untrusted data:

   HTML Body Context
   <span>UNTRUSTED DATA</span>
   <body>...UNTRUSTED DATA </body>
   <div>UNTRUSTED DATA </div>

HTML Entity Encoding is required

   & --> &amp;
   < --> &lt;
   > --> &gt;
   " --> &quot;
   ' --> &#x27;