Difference between revisions of "HTML Entity Encoding"

From OWASP
Jump to: navigation, search
 
Line 1: Line 1:
 
{{Template:Countermeasure}}
 
{{Template:Countermeasure}}
  
HTML entity encoding is the process of replacing ASCII characters with their 'HTML Entity' equivalents. For example, you would replace the "<" character with "&lt;"
+
HTML entity encoding is the process of replacing ASCII characters with their 'HTML Entity' equivalents. For example, you would replace the "<" character with "&amp;lt;"
  
 
Using HTML entity encoding is useful because HTML entities are 'inert' in most interpreters, especially browsers.  This means that even if an attacker tricks your application into sending malicious code to another user's browser, the attack won't execute.
 
Using HTML entity encoding is useful because HTML entities are 'inert' in most interpreters, especially browsers.  This means that even if an attacker tricks your application into sending malicious code to another user's browser, the attack won't execute.
  
 
{{Template:Stub}}
 
{{Template:Stub}}

Revision as of 11:11, 24 July 2006

This is a countermeasure. To view all countermeasures, please see the Countermeasure Category page.

HTML entity encoding is the process of replacing ASCII characters with their 'HTML Entity' equivalents. For example, you would replace the "<" character with "&lt;"

Using HTML entity encoding is useful because HTML entities are 'inert' in most interpreters, especially browsers. This means that even if an attacker tricks your application into sending malicious code to another user's browser, the attack won't execute.

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.