May 19

Preventing XSS with Correct Output Encoding

Category: Security

Encoding output to prevent cross site scripting (XSS) is old news to most in the web security community, but it’s still an area that is done incorrectly, or with out thought to future issues that might arise.  Additionally, with the explosion of AJAX based applications there is a lack of encoding tools that target JavaScript or provide an implementation for JavaScript.

Just Add Water the movie

30 Days of Night movie full Stepmom video

Screamers: The Hunting download

Cheaper by the Dozen 2 divx

??????? ? ??????????? ?????????

Standard framework utilities for encoding output (Server.HtmlEncode, etc) only encode the most basic set of characters needed, &, <, >, and ".  In a perfect world this would be enough, but in the day and age of browser bugs, broken Unicode libraries, and lenient HTML interpretation that can lead to occasional sloppy coding more is needed to protect our applications.  Enter the Reform encoding library.

Of specific mention is correct context aware output encoding.  The context could be "html body", "html attribute", "css", "javascript", etc.  It’s important to understand how your data will get treated to know how it needs to be encoded.  It’s because of context issues that one must encode on output of data instead of input.  Unfortunately there are no shortcuts :)

The Refrom encoding library, also known as the OWASP Encoding Project, provides conservative functions for performing different types of encoding’s that are needed in today’s web applications in a large variety of languages.  Currently there is support for: Java, C, Python, Perl, PHP, Ruby, JavaScript, ASP.NET, and Classic ASP.  All of the Reform functions are internationalization safe, are easy to use, and prevent all known types of XSS issues when used correctly.

What is encoded?

  • Everything but: A-Z, a-z, 0-9, space [ ], comma [,], and period [.]
  • Unicode is always encoded

28 weeks later dvdrip In Search of a Midnight Kiss hd download Wendy and Lucy dvd

The Slumber Party Massacre movie download

Anna Christie movie

download Fried Green Tomatoes dvd

Slumdog Millionaire movies

Black Eagle move

The Covenant movie

Asterix and the Vikings full movie

Fighting with Anger movie

The following functions are provided: download no man s land the rise of reeker

From Beyond hd

  • HtmlEncode — Encode data for display in a block of HTML or HTML attribute.
  • JsEncode — Encode data into a JavaScript literal
  • VbsEncode — Encode data into a VBScript string literal

Microsoft’s AntiXss Library

An alternative to Reform is the Microsoft AntiXss Library.  Both libraries are functionally equivalent and in fact were designed by the same people.

Pufnstuf hd Reform can be downloaded from here.

Sneakers video

2 comments

2 Comments so far

  1. Security Blog October 15th, 2008 1:54 am

    Greta post, thanks!

    I think it’s too easy to skip validation of outputted code when rushing to finish a form.

    It may not seem like a big deal if a script kiddie spams the form with popups, but what would happen if they stole cookies related to the form?

    Well worth taking the time to think about security, in my opinion!

  2. sandrar September 10th, 2009 2:48 pm

    Hi! I was surfing and found your blog post… nice! I love your blog. :) Cheers! Sandra. R.

Leave a comment