Content deleted Content added
→Contextual output encoding/escaping of string input: Fix broken section link |
|||
Line 67:
There are several escaping schemes that can be used depending on where the untrusted string needs to be placed within an HTML document including HTML entity encoding, JavaScript escaping, CSS escaping, and [[Percent-encoding|URL (or percent) encoding]].<ref name="OWASP">{{cite web |last=Williams |first=Jeff |title=XSS (Cross Site Scripting) Prevention Cheat Sheet |url=https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet |publisher=OWASP |date=January 19, 2009 |access-date=February 4, 2010 |archive-date=March 18, 2017 |archive-url=https://web.archive.org/web/20170318125710/https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet |url-status=dead }}</ref> Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS attacks in a fairly straightforward manner.
Performing HTML entity encoding only on the [[List of XML and HTML character entity references#
Some [[web template system]]s understand the structure of the HTML they produce and automatically pick an appropriate encoder.<ref>{{Cite web|url=https://golang.org/pkg/html/template/#hdr-Introduction|title=template - The Go Programming Language|website=golang.org|access-date=2019-05-01}}</ref><ref>{{Cite web|url=https://www.npmjs.com/package/pug-plugin-trusted-types|title=pug-plugin-trusted-types|website=npm|access-date=2019-05-01}}</ref>
| |||