4
votes

I'm having a debate with one of my colleagues over how to prevent an XSS attack through the encoding of specific characters. Will escaping the < character with &lt; do the trick?

When I review the attack vector cheat sheet published by OWASP, it seems that all attacks use the < character as the basis of execution.

If this does not work, what attack would beat it?

1
The short answer is no, it's not enough. The long answer is it depends on the context of where the user data goes. In an attribute it definitely will not be safe. In the body of certain tags, etc...ircmaxell
The user data goes into the body of HTML elements. Attributes are not set dynamically.rynmrtn
Have a look at the XSS (Cross Site Scripting) Prevention Cheat Sheet and you’ll see it doesn’t suffice. It all depends on the context in which the injection happens. Besides that, there is also DOM-based XSS.Gumbo

1 Answers

4
votes

No, for the HTML body you will also need to encode the & character to prevent an attacker from potentially escaping the escape.

Check out the XSS Experimental Minimal Encoding Rules:-

HTML Body (up to HTML 4.01):

  • HTML Entity encode < &

  • specify charset in metatag to avoid UTF7 XSS

XHTML Body:

Note that if you want to enter stuff inside of an attribute value, then you need to properly encode all characters with special meaning. The XSS (Cross Site Scripting) Prevention Cheat Sheet mentions to encode the following characters:-

&,<, >, ", ', /

You must also quote the attribute value for the escaping to be effective.