Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I want to escape for XSS in an HTML context, and so far I treat the <, >, and " characters.
Apparently it is recommended to escape the ampersand as well, but why? (Other than for keeping the HTML valid, let’s assume that this is not an issue)
So what I am asking is:
When I escape <, > and ", can someone demonstrate how the ampersand can still allow an XSS attack in an HTML context?
Cheers!
You should really take a look at the OWASP XSS Prevention Cheat Sheet.
You should escape & because it can be used to circumvent other defenses. Consider this code:
To defend against XSS inside the onclick event handler, the developer escapes ‘, “, < and > in data_from_user and thinks everything is ok. The problem is that if the attacker types
'which passes the escaping, but ends up allowing the attacker to run javascript.Example here: http://erlend.oftedal.no/blog/?blogid=124