javascript - HTML attributes escaping -

i'm reading owsap prevention sheet, got confused rule number 2.

rule #2 - attribute escape before inserting untrusted data html common attributes rule #2 putting untrusted data typical attribute values width, name, value, etc. this should not used complex attributes href, src, style, or of event handlers onmouseover. extremely important event handler attributes should follow rule #3 html javascript data values.

what reason complex attributes should not escaped, (this should not used complex attributes href, src, style) create ambiguity or break values of attributes?

https://www.owasp.org/index.php/xss_(cross_site_scripting)_prevention_cheat_sheet

it isn't shouldn't escaped, escaping them insufficient make data safe against xss.

escaping data stops breaking out of attribute , starting new attribute or element.

that isn't enough if attribute 1 can execute javascript.

this vulnerable xss:

$external_input = '"><script>alert("got you");</script>'; ?><input class="<?php echo $external_input ?>">

but if escape $external_input attribute value becomes nonsense. isn't harmful.

the following, on other hand, allows arbitrary scripts executed if html escaped.

$external_input = 'alert("got you");'; ?><input onmouseover="<?php echo htmlspecialchars($external_input); ?>">

you need ensure data safe whatever data format value (and should still escape it).

putting value in href attribute? make sure url , url scheme 1 trust (like http: , not javascript:).

putting value in script? escape js (which you'd use json encoder for).

and on.

Brazille

Search This Blog

javascript - HTML attributes escaping -

Comments

Post a Comment