Abridged XSS Prevention Cheat Sheet

= Introduction =

Cross site scripting is the most common web vulnerability. Cross Site Scripting is a dangerous threat since it allows an attacker to trick a victim into executing malicious client-side script in a browser. This cheat sheet is a derivative work of the XSS (Cross Site Scripting) Prevention Cheat Sheet and will assist web developers in eliminating XSS from their applications.

= XSS Prevention Safe Contexts =

The following snippets of HTML demonstrate how to safely render untrusted data in a variety of different contexts.

Safe HTML Attributes include: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width

= XSS Prevention Dangerous Contexts =

The following snippets of HTML demonstrate dangerous contexts that developers  should always avoid .

= Experimental Minimal Encoding Rules =

The following examples demonstrate minimal experiential encoding rules.

= How to Output Encode =

The purpose of output encoding (as it relates to Cross Site Scripting) is to convert untrusted input into a safe form where the input is displayed as data to the user without executing as code in the browser. The following charts details a list of critical output encoding methods needed to stop Cross Site Scripting.

= Related Articles =

= Authors and Primary Editors =

Jim Manico - jim [at] owasp.org Jeff Williams - jeff [at] aspectsecurity.com