Page Comparison

Data Type

Context

Code Sample

Defense

String

HTML Body

<span>UNTRUSTED DATA</span>

• HTML Entity Encoding

String

Safe HTML Attributes

<input value="UNTRUSTED DATA">

• Aggressive HTML Entity Encoding
• Only place untrusted data into a whitelist of safe attributes (listed below).
• Strictly validate unsafe attributes such as background, id and name.

String

GET Parameter

<a href="/site/search?value=UNTRUSTED DATA">clickme</a>

• URL Encoding

String

Untrusted URL in a SRC or HREF attribute

<a href="UNTRUSTED URL">clickme</a>
<iframe src="UNTRUSTED URL" />

• Canonicalize input
• URL Validation
• Safe URL verification
• Whitelist http and https URL's only (Avoid the JavaScript Protocol to Open a new Window)
• Attribute encoder

String

CSS Value

<div style="width:UNTRUSTED DATA;">Selection</div>

• Strict structural validation
• CSS Hex encoding
• Good design of CSS Features

String

JavaScript Variable

<script>var currentValue='UNTRUSTED DATA';</script>
<script>someFunction('UNTRUSTED DATA');</script>

• Ensure JavaScript variables are quoted
• JavaScript Hex Encoding
• JavaScript Unicode Encoding
• Avoid backslash encoding (\" or \' or
  )

HTML

HTML Body

<div>UNTRUSTED HTML</div>

• HTML Validation (JSoup, AntiSamy, HTML Sanitizer)

String

DOM XSS

<script>document.write("UNTRUSTED INPUT: " + document.location.hash);<script/>

• DOM based XSS Prevention Cheat Sheet