Reputation: 22035
I'm wondering what the bare minimum to make a site safe from XSS is.
If I simply replace <
with <
in all user submitted content, will my site be safe from XSS?
Upvotes: 5
Views: 1343
Reputation: 1439
Depending on the framework you are using, many now have an input validation module. A key piece I tell software students when I do lectures is USE THE INPUT VALIDATION MODULES WHICH ALREADY EXIST!
reinventing the wheel is often less effective than using the tried and tested modules which exist already. .Net has most of what you might need built in - really easy to whitelist (where you know the only input allowed) or blacklist (a bit less effective as known 'bad' things always change, but still valuable)
Upvotes: 2
Reputation: 37305
No. You have to escape all user input, regardless of what it contains.
Upvotes: 2
Reputation: 21
There are also case where the encoding of the page counts. Ie - if your page character set is not correct or does not match in all applicable spots, then there are potential vulnerabilities. See http://openmya.hacker.jp/hasegawa/security/utf7cs.html for details.
Upvotes: 2
Reputation: 490123
Depends hugely on context.
Also, encoding less than only isn't that flash of an idea. You should just encode all characters which have special meaning and could be used for XSS...
<
>
"
'
&
For a trivial example of where encoding the less than won't matter is something like this...
Welcome to Dodgy Site. Please link to your homepage.
Malicious user enters...
http://www.example.com" onclick="window.location = 'http://nasty.com'; return false;
Which obviously becomes...
<a href="http://www.example.com" onclick="window.location = 'http://nasty.com'; return false;">View user's website</a>
Had you encoded double quotes, that attack would not be valid.
Upvotes: 5
Reputation: 16058
If you escape all user input you should be safe.
That mean EVERYTHING EVERYWHERE it shows up. Even a username on a profile.
Upvotes: 0