Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I HTML Encode all the output in a web application?

Tags:

php

asp.net

jsp

I want to prevent XSS attacks in my web application. I found that HTML Encoding the output can really prevent XSS attacks. Now the problem is that how do I HTML encode every single output in my application? I there a way to automate this?

I appreciate answers for JSP, ASP.net and PHP.

like image 895
Niyaz Avatar asked Sep 12 '08 11:09

Niyaz


3 Answers

You don't want to encode all HTML, you only want to HTML-encode any user input that you're outputting.

For PHP: htmlentities and htmlspecialchars

like image 28
David McLaughlin Avatar answered Nov 11 '22 16:11

David McLaughlin


One thing that you shouldn't do is filter the input data as it comes in. People often suggest this, since it's the easiest solution, but it leads to problems.

Input data can be sent to multiple places, besides being output as HTML. It might be stored in a database, for example. The rules for filtering data sent to a database are very different from the rules for filtering HTML output. If you HTML-encode everything on input, you'll end up with HTML in your database. (This is also why PHP's "magic quotes" feature is a bad idea.)

You can't anticipate all the places your input data will travel. The safe approach is to prepare the data just before it's sent somewhere. If you're sending it to a database, escape the single quotes. If you're outputting HTML, escape the HTML entities. And once it's sent somewhere, if you still need to work with the data, use the original un-escaped version.

This is more work, but you can reduce it by using template engines or libraries.

like image 117
JW. Avatar answered Nov 11 '22 17:11

JW.


For JSPs, you can have your cake and eat it too, with the c:out tag, which escapes XML by default. This means you can bind to your properties as raw elements:

<input name="someName.someProperty" value="<c:out value='${someName.someProperty}' />" />

When bound to a string, someName.someProperty will contain the XML input, but when being output to the page, it will be automatically escaped to provide the XML entities. This is particularly useful for links for page validation.

like image 3
MetroidFan2002 Avatar answered Nov 11 '22 17:11

MetroidFan2002