What is "Escaped" & "Unescaped" output

Question

I'm not familiar with Javascript

Learning template node.js template engine, it has "Escaped" & "Unescaped" output

What actually is "Escaped" & "Unescaped" output?

Is it like "include once" & "include"?

(Google giving no result about this)

Answer 1

Escaping and unescaping are useful to prevent Cross Site Scripting (XSS) attack. It is one of the common web attacks, since it will be easy to create an attack vector if the site is not designed carefully. Its ranked number 3 in the OWASP's Top 10 vulnerabilities of 2013.

The main intention is to, NOT to let the browser execute or interpret the HTTP response in a different way than intended.

For example, lets say you have a web page which accepts the user to enter his address and you want the user to confirm it in the next page. So, you are getting the address entered by the user and displaying it in the next page. If the user enters a valid address, it will not be a problem. What if the user enters something like this

<script>
    alert("Welcome");
</script>

Your next page will simply produce an alert box saying Welcome. Now, consider this case. You are writing a blogging application, and the user enters the above seen script in the text box provided. You ll be storing it in DB and whoever wants to see your blog will get to see that alert box. Worst thing is, if the attacker puts that in an infinite loop, whoever visits that blog will not be able to read the content at all.

This is just one of the basic attacks, which is possible if you don't escape the text.

So, normally, the text user entered will be escaped and then stored in DB. For example, the above seen attack vector (the script tag thing) will become like this, after HTML escaping

&lt;script&gt;<br/>        alert(&quot;Welcome&quot;);<br/>&lt;/script&gt;

Now, browser will not consider this as a script element but a HTML element, so it will display it as

<script>
    alert("Welcome");
</script>

instead of executing it.