Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Cross Site Scripting (XSS): Do I need to escape the ampersand?

I want to escape for XSS in an HTML context, and so far I treat the <, >, and " characters. Apparently it is recommended to escape the ampersand as well, but why? (Other than for keeping the HTML valid, let's assume that this is not an issue)

So what I am asking is: When I escape <, > and ", can someone demonstrate how the ampersand can still allow an XSS attack in an HTML context?

Cheers!

like image 395
Brent Gallagher Avatar asked Feb 03 '12 05:02

Brent Gallagher


2 Answers

You should really take a look at the OWASP XSS Prevention Cheat Sheet.

You should escape & because it can be used to circumvent other defenses. Consider this code:

<button onclick="confirm('Do you really want to delete <%= data_from_user; %> ?'">Delete</button>

To defend against XSS inside the onclick event handler, the developer escapes ', ", < and > in data_from_user and thinks everything is ok. The problem is that if the attacker types &#39; which passes the escaping, but ends up allowing the attacker to run javascript.

Example here: http://erlend.oftedal.no/blog/?blogid=124

like image 99
Erlend Avatar answered Oct 12 '22 11:10

Erlend


you use & to concatenate params in the URL:

Reflected XXS:
Script code is injected in the URL which the webpage reflects to victims

http://mybank.com/page?message= < script src = “evil _script.js” />

like image 26
Adrian Avatar answered Oct 12 '22 10:10

Adrian