1

How can some user generated text be safely written out on a webpage?

Is there some complete list of characters that needs to be escaped?

The ",+,: -character should probably be escaped, but there are probably a more comprehensive lis of what needs to be done.

I am thinking about the possibility to do exploits that inserts javascript or other things that will redirect the page or mess things up. The younger generation has so much creativity.

Leet hacker 93489
  • 11
  • 1
  • **What is the *context* of the user generated string?** For example, you need to use slightly different encoding for HTML *attribute* vs *text node*. I would recommend reading https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss.html#philosophy-and-general-rules as an introduction. Another good document to read is https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#introduction – Mikko Rantalainen Jun 28 '21 at 11:10

4 Answers4

0

This vulnerability is called an XSS attack. Different programming languages have functionality to do the escaping automatically for you, for example in php you can use the function called htmlspecialchars() to escape user text that will be rendered raw. Other languages have similar functionalities.

This gets more complicated if you want to allow users to use only a subset of html (i.e. if you have a forum where users are allowed to format their posts to a limited degree etc...), then you actually have to parse the text and decide what to allow and what not to allow. There are a variety of engines that will do this for you (e.g. markdown, which SO uses).

Jesse Cohen
  • 4,010
  • 22
  • 25
0

Escaping <, >, & and ' should be sufficient.

JB Nizet
  • 678,734
  • 91
  • 1,224
  • 1,255
  • 1
    Only if you insert text into a regular HTML element (and OWASP recommends escaping `"` and `/` too); if you insert into e.g. HTML attribute values, more care must be taken. But I guess that inserting into HTML elements is the most common scenario. – Aasmund Eldhuset Feb 26 '11 at 16:36
  • 1
    The OP asked for XHTML, and if he's not sure about what is in the user text, he'd better not insert it in an attribute if he wantss his XHTML valid and functional. – JB Nizet Feb 26 '11 at 16:43
0

Depending on your serverside language there are special methods for this.

Marco
  • 4,817
  • 5
  • 34
  • 75
0

(Copying my own answer to a similar question - please alert me if this is considered bad practice.)

You might want to consult the OWASP Cheat Sheet on Cross Site Scripting Prevention. It boils down to:

  • Being aware of the locations where you should not put untrusted data at all
  • Being aware of the different ways in which data should be escaped in the different kinds of locations where you can put untrusted data
  • Using whitelisting (escaping everything except specified safe characters) instead of blacklisting (only escaping specified unsafe characters)

(Read the entire document, though, rather than relying on this summary...)

Community
  • 1
  • 1
Aasmund Eldhuset
  • 37,289
  • 4
  • 68
  • 81