Difference between revisions of "CRV2 ContextEncHTMLEntity"

From OWASP
Jump to: navigation, search
(Created page with "HTML elements which contain user controlled data or data from untrusted sourced should be reviewed for contextual output encoding. In the case of HTML entities we need to help...")
 
Line 4: Line 4:
 
'''Example HTML Entity containing untrusted data:'''
 
'''Example HTML Entity containing untrusted data:'''
 
     HTML Body Context
 
     HTML Body Context
 +
   
 
     <span>UNTRUSTED DATA</span>
 
     <span>UNTRUSTED DATA</span>
 +
    OR
 +
    <body>...UNTRUSTED DATA </body>
 +
    OR
 +
    <nowiki><div>UNTRUSTED DATA </div></nowiki>
 +
   
 +
HTML Entity Encoding is required
 +
 +
    & --> &amp;amp;
 +
    < --> &amp;lt;
 +
    > --> &amp;gt;
 +
    " --> &amp;quot;
 +
    ' --> &amp;#x27;

Revision as of 10:37, 3 October 2013

HTML elements which contain user controlled data or data from untrusted sourced should be reviewed for contextual output encoding. In the case of HTML entities we need to help ensure HTML Entity Encoding is perfromed:

Example HTML Entity containing untrusted data:

   HTML Body Context
   
   UNTRUSTED DATA
   OR
   <body>...UNTRUSTED DATA </body>
   OR
   <div>UNTRUSTED DATA </div>
   

HTML Entity Encoding is required

   & --> &amp;
   < --> &lt;
   > --> &gt;
   " --> &quot;
   ' --> &#x27;