Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why does HTML encoding prevent certain XSS attacks?

Tags:

html

xss

I have been reading that you HTML encode on the way back from the server to the client (I think?) and this will prevent many types of XSS attacks. However, I don't understand at all. The HTML is still going to be consumed and rendered by the browser right?

How is this stopping anything?

I've read about this in multiple locations, websites and books, and nowhere does it actually explain why this works.

like image 854
MetaGuru Avatar asked Dec 12 '11 13:12

MetaGuru


People also ask

Does HTML encoding prevent XSS?

HTML SanitizationOutput encoding here will prevent XSS, but it will break the intended functionality of the application. The styling will not be rendered. In these cases, HTML Sanitization should be used. HTML Sanitization will strip dangerous HTML from a variable and return a safe string of HTML.

Why does encoding prevent XSS?

And it does help in preventing stored XSS, because the stored value is encoded before printing. Unfortunately, HTML Encoding doesn't provide full protection against XSS.. You're better off by using a well-vetted security library. +100500 to template frameworks and +100500 to OWASP.

Why HTML encoding is required?

HTML encoding ensures that text will be correctly displayed in the browser, not interpreted by the browser as HTML. For example, if a text string contains a less than sign (<) or greater than sign (>), the browser would interpret these characters as an opening or closing bracket of an HTML tag.


2 Answers

Think about it: What does encoded HTML look like? For example, it could look like this:

&lt;a href=&quot;www.stackoverflow.com&quot;&gt;

So it will be rendered on the client as the literals (as <a href="www.stackoverflow.com">), not as HTML. Meaning you won't see an actual link, but the code itself.

XSS attacks work on the basis that someone can make a client browser parse HTML that the site provider didn't intend to be on there; if the above weren't encoded, it would mean that the provided link would be embedded in the site, although the site provider didn't want that.

XSS is of course a little more elaborate than that, and usually involves JavaScript as well (hence the Cross Site Scripting), but for demonstration purposes this simple example should suffice; it's the same with JavaScript code as with simple HTML tags, since XSS is a special case of the more general HTML injection.

like image 80
codeling Avatar answered Sep 21 '22 06:09

codeling


HTML encoding turns <div> into &lt;div&gt;, which means that any HTML markup will display on the page as text, rather than executed as HTML markup.

The basic entities that are converted are:

  • & to &amp;
  • < to &lt;
  • > to &gt;
  • " to &quot;

OWASP recommends encoding some additional characters:

  • ' to &#x27;
  • / to &#x2F;

These encodings are how you textually represent characters that would otherwise be consumed as markup. If you wanted to write a<b you'd have to be careful that <b isn't treated like an HTML element. If you use a&lt;b the text that will be displayed to the user will be a<b.

like image 43
zzzzBov Avatar answered Sep 24 '22 06:09

zzzzBov