Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is my site safe from XSS if I replace all '<' with '&lt;'?

Tags:

security

xss

I'm wondering what the bare minimum to make a site safe from XSS is.

If I simply replace < with &lt; in all user submitted content, will my site be safe from XSS?

like image 342
Kyle Avatar asked Dec 02 '10 01:12

Kyle


4 Answers

Depends hugely on context.

Also, encoding less than only isn't that flash of an idea. You should just encode all characters which have special meaning and could be used for XSS...

  • <
  • >
  • "
  • '
  • &

For a trivial example of where encoding the less than won't matter is something like this...

Welcome to Dodgy Site. Please link to your homepage.

Malicious user enters...

http://www.example.com" onclick="window.location = 'http://nasty.com'; return false;

Which obviously becomes...

<a href="http://www.example.com" onclick="window.location = 'http://nasty.com'; return false;">View user's website</a>

Had you encoded double quotes, that attack would not be valid.

like image 170
alex Avatar answered Oct 05 '22 21:10

alex


There are also case where the encoding of the page counts. Ie - if your page character set is not correct or does not match in all applicable spots, then there are potential vulnerabilities. See http://openmya.hacker.jp/hasegawa/security/utf7cs.html for details.

like image 32
ttessier Avatar answered Oct 05 '22 21:10

ttessier


No. You have to escape all user input, regardless of what it contains.

like image 36
Yahel Avatar answered Oct 05 '22 21:10

Yahel


Depending on the framework you are using, many now have an input validation module. A key piece I tell software students when I do lectures is USE THE INPUT VALIDATION MODULES WHICH ALREADY EXIST!

reinventing the wheel is often less effective than using the tried and tested modules which exist already. .Net has most of what you might need built in - really easy to whitelist (where you know the only input allowed) or blacklist (a bit less effective as known 'bad' things always change, but still valuable)

like image 27
Rory Alsop Avatar answered Oct 05 '22 21:10

Rory Alsop