I want to escape for XSS in an HTML context, and so far I treat the <
, >
, and "
characters.
Apparently it is recommended to escape the ampersand as well, but why? (Other than for keeping the HTML valid, let's assume that this is not an issue)
So what I am asking is:
When I escape <
, >
and "
, can someone demonstrate how the ampersand can still allow an XSS attack in an HTML context?
Cheers!
You should really take a look at the OWASP XSS Prevention Cheat Sheet.
You should escape & because it can be used to circumvent other defenses. Consider this code:
<button onclick="confirm('Do you really want to delete <%= data_from_user; %> ?'">Delete</button>
To defend against XSS inside the onclick event handler, the developer escapes ', ", < and > in data_from_user and thinks everything is ok. The problem is that if the attacker types '
which passes the escaping, but ends up allowing the attacker to run javascript.
Example here: http://erlend.oftedal.no/blog/?blogid=124
you use & to concatenate params in the URL:
Reflected XXS:
Script code is injected in the URL which the webpage reflects to victims
http://mybank.com/page?message= < script src = “evil _script.js” />
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With