开发者

What is the minimum set of characters I need to ban to avoid XSS

I'm writing a simple website and I appreciate my responsibility to avoid my site being used for XSS however I don't really want to spend much time on a detailed or heavy weight solution. If I was to simply ban a list of characters (that people weren't going to need to describe their favourite sausage anyway) what is the smallest list I could get away with?

Users still need the ability to write a paragraph of plain text. So I'll need to keep at least:

' " , . ; : - ( )

in the hope that some of the less grammatically challenged users can apply th开发者_JAVA百科em accurately. I was going to start with < and > but searching indicated that, on it's own, isn't necessarily enough.


Just because you need to keep

' " , . ; : - ( )

Doesn't mean you need to keep them as those literal characters. Convert all special characters to their HTML entities (e.g. convert all < to &lt;


You probably shouldn't just ban characters. Instead prefer to HTML escape any input before outputting it back to the user. See OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet.


You haven't mentioned the server platform you're working with (.NET, Java, PHP, etc.), and each has slightly different ways of dealing with XSS. However, there are two constants:

  1. Always validate your input against a white-list. Don't define what you won't allow, rather define what you will allow.
  2. Always encode your output and do so for the correct language. Most platforms have libraries to do this for you (i.e. AntiXSS for ASP.NET)

More info on understanding XSS in greater depth here: OWASP Top 10 for .NET developers part 2: Cross-Site Scripting (XSS)

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜