Common Failures in HTML Escaping

When variables in your web-app can be set remotely, such as by a user input field, it is essential that certain character entities are escaped in order to prevent your site from being vulnerable from cross-site scripting (XSS) injection attacks.  Ryan Grove explains the bare essentials for an HTML escaping safety net, and where coders often go wrong.  A summary:

  • Escaping &, <, >, “, ‘, , !, @, $, %, (, ), =, +, {, }, [, and ] is almost enough
  • Always specify a charset, or UTF-7 will eat your face

Leave a Reply

CommentLuv badge