Menu
I'm sure that the answer to this question is No, but I can't seem to find a way that simply transforming < and > to < and > doesn't completely block reflected and persistent XSS.
I'm not talking about CSRF.
If this doesn't block XSS, can you provide an example of how to bypass this defence?
489
The short answer is no, it's not enough. The long answer is it depends on the context of where the user data goes. In an attribute it definitely will not be safe. In the body of certain tags, etc...
Escaping from XSSEscaping is the primary means to avoid cross-site scripting attacks. When escaping, you are effectively telling the web browser that the data you are sending should be treated as data and should not be interpreted in any other way.
Cross-site scripting (XSS) is a type of injection attack in which a threat actor inserts data, such as a malicious script, into content from trusted websites. The malicious code is then included with dynamic content delivered to a victim's browser. XSS is one of the most common cyber attack types.
Not all XSS attacks include < or > at all, depending on where the data is being inserted.
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#Why_Can.27t_I_Just_HTML_Entity_Encode_Untrusted_Data.3F
162
When using an untrusted string in an attribute (quoted with ") you need to escape " as ".
Otherwise you could easily inject javascript. For example, <a href="{{str}}"> with str being, for example, " onmouseover='something-evil'".
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
