Sep 19, 2017

HTML Entity Encode Untrusted Data is not enough

Even if you use an HTML entity encoding method everywhere, you are still most likely vulnerable to XSS. 

HTML entity encoding is okay for untrusted data that you put in the body of the HTML document, such as inside a <div> tag. It even sort of works for untrusted data that goes into attributes, particularly if you're religious about using quotes around your attributes. But HTML entity encoding doesn't work if you're putting untrusted data inside a <script> tag anywhere, or an event handler attribute like onmouseover, or inside CSS, or in a URL.

You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.

Post a Comment

Featured Post

Modern tar recognizes the file format

One command works with any supported compression method. tar xf archive.tar.xz tar xf archive.tar.gz tar xf archive.tar etc. ...