dpb
Reputation: 353
XSS - Does blacklisting of following characters take good enough care of XSS?
I am blacklisting following characters for a variable which becomes part of the URL.
Please suggest if I am missing any or should exclude any.
"~!@#$%^*()+{}[]|<>\"\\:;,"
Upvotes: 0
Views: 63
Answers (1)
ircmaxell
Reputation: 165201
No it does not.
Also, never try to do security through blacklists. Use whitelists.
And never try to filter for XSS. Encode your output for the format you're writing to. For HTML (body and quoted attributes) then use something like php's htmlspecialchars().
Upvotes: 3
Related Questions
- Is this enough to prevent xss?
- Blacklist/whitelist for XSS
- XSS Blacklist - Is anyone aware of a reasonable one?
- Is it secure to prevent XSS by stripping all English characters?
- XSS blacklist in php
- Accepting potentially dangerous characters and preventing Stored XSS
- Writing XSS Filter for (X)HTML Based on White List
- What is the minimum set of characters I need to ban to avoid XSS
- List of characters to be restricted for protection against XSS and SQL Injections?
- Avoiding XSS vulnerabilities - whitelist?