Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.1k views
in Technique[技术] by (71.8m points)

escaping - Cross Site Scripting (XSS): Do I need to escape the ampersand?

I want to escape for XSS in an HTML context, and so far I treat the <, >, and " characters. Apparently it is recommended to escape the ampersand as well, but why? (Other than for keeping the HTML valid, let's assume that this is not an issue)

So what I am asking is: When I escape <, > and ", can someone demonstrate how the ampersand can still allow an XSS attack in an HTML context?

Cheers!

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

You should really take a look at the OWASP XSS Prevention Cheat Sheet.

You should escape & because it can be used to circumvent other defenses. Consider this code:

<button onclick="confirm('Do you really want to delete <%= data_from_user; %> ?'">Delete</button>

To defend against XSS inside the onclick event handler, the developer escapes ', ", < and > in data_from_user and thinks everything is ok. The problem is that if the attacker types &#39; which passes the escaping, but ends up allowing the attacker to run javascript.

Example here: http://erlend.oftedal.no/blog/?blogid=124


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

2.1m questions

2.1m answers

60 comments

57.0k users

...