in reply to XSS Protection in cgi application
Some general rules:
- Don't try to identify malicious content. Identify valid content for your fields, and discard everything else. A field named "store" is unlikely to require any of the critical characters <>&.
- If you include form fields in a response, you need to HTML-escape them as you would for your own texts. HTML-encoding "<" is different from URL-encoding "%3C". If you build href or other URL attributes, you need to apply both encodings on top of each other.
- Be aware that attackers don't use a browser to construct their URLs. Validating form fields with HTML data types or JavaScript is nice for convenience, but doesn't help for your application's security.
|