Kyle
Kyle

Reputation: 22035

Is my site safe from XSS if I replace all '<' with '<'?

I'm wondering what the bare minimum to make a site safe from XSS is.

If I simply replace < with &lt; in all user submitted content, will my site be safe from XSS?

Upvotes: 5

Views: 1343

Answers (5)

Rory Alsop
Rory Alsop

Reputation: 1439

Depending on the framework you are using, many now have an input validation module. A key piece I tell software students when I do lectures is USE THE INPUT VALIDATION MODULES WHICH ALREADY EXIST!

reinventing the wheel is often less effective than using the tried and tested modules which exist already. .Net has most of what you might need built in - really easy to whitelist (where you know the only input allowed) or blacklist (a bit less effective as known 'bad' things always change, but still valuable)

Upvotes: 2

Yahel
Yahel

Reputation: 37305

No. You have to escape all user input, regardless of what it contains.

Upvotes: 2

ttessier
ttessier

Reputation: 21

There are also case where the encoding of the page counts. Ie - if your page character set is not correct or does not match in all applicable spots, then there are potential vulnerabilities. See http://openmya.hacker.jp/hasegawa/security/utf7cs.html for details.

Upvotes: 2

alex
alex

Reputation: 490123

Depends hugely on context.

Also, encoding less than only isn't that flash of an idea. You should just encode all characters which have special meaning and could be used for XSS...

  • <
  • >
  • "
  • '
  • &

For a trivial example of where encoding the less than won't matter is something like this...

Welcome to Dodgy Site. Please link to your homepage.

Malicious user enters...

http://www.example.com" onclick="window.location = 'http://nasty.com'; return false;

Which obviously becomes...

<a href="http://www.example.com" onclick="window.location = 'http://nasty.com'; return false;">View user's website</a>

Had you encoded double quotes, that attack would not be valid.

Upvotes: 5

John
John

Reputation: 16058

If you escape all user input you should be safe.

That mean EVERYTHING EVERYWHERE it shows up. Even a username on a profile.

Upvotes: 0

Related Questions