I'm not familiar with Javascript
Learning template node.js template engine, it has "Escaped" & "Unescaped" output
What actually is "Escaped" & "Unescaped" output?
Is it like "include once" & "include"?
(Google giving no result about this)
[count] : an act of escaping from a place, situation, etc. The prisoners attempted a daring escape. He celebrated his escape from his boring job with a long vacation. She had a lucky escape when she wasn't injured in the accident.
escape used as a verb: To avoid (any unpleasant person or thing); to elude, get away from. "He only got a fine and so escaped going to jail." To avoid capture; to get away with something, avoid punishment. "Luckily, I escaped with only a fine."
How to use Escaped in a sentence. She escaped before he could respond. They must've escaped before the immortal world collapsed. She wiped an escaped tear from her cheek.
Escaping and unescaping are useful to prevent Cross Site Scripting
(XSS) attack. It is one of the common web attacks, since it will be easy to create an attack vector if the site is not designed carefully. Its ranked number 3 in the OWASP's Top 10 vulnerabilities of 2013
.
The main intention is to, NOT to let the browser execute or interpret the HTTP response in a different way than intended.
For example, lets say you have a web page which accepts the user to enter his address and you want the user to confirm it in the next page. So, you are getting the address entered by the user and displaying it in the next page. If the user enters a valid address, it will not be a problem. What if the user enters something like this
<script>
alert("Welcome");
</script>
Your next page will simply produce an alert box saying Welcome
. Now, consider this case. You are writing a blogging application, and the user enters the above seen script in the text box provided. You ll be storing it in DB and whoever wants to see your blog will get to see that alert box. Worst thing is, if the attacker puts that in an infinite loop, whoever visits that blog will not be able to read the content at all.
This is just one of the basic attacks, which is possible if you don't escape the text.
So, normally, the text user entered will be escaped and then stored in DB. For example, the above seen attack vector (the script tag thing) will become like this, after HTML escaping
<script><br/> alert("Welcome");<br/></script>
Now, browser will not consider this as a script element but a HTML element, so it will display it as
<script>
alert("Welcome");
</script>
instead of executing it.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With