0

OWASP says "Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities" and "Applying context-sensitive encoding when modifying the browser document on the client side acts against DOM XSS" but how to differentiate between Escaping and Encoding? Another website says that Escaping is a subset of Encoding. I'm just confused between the two.

user3888349
  • 1
  • 2
  • Okay so Stack Overflow decoded &lt and &gt – user3888349 Feb 26 '19 at 16:03
  • It's unclear what you are asking. URL-encoding is used when you need to URL-encode. We will need to see a [mcve] to put your question into context. And "escaping" is _very_ context specific. Escaping from _what_? –  Feb 26 '19 at 16:17
  • Okay so, I'm so confused between Escaping and Encoding, some people use them interchangeably. To avoid XSS, what should one use? Escaping or Encoding? – user3888349 Feb 28 '19 at 17:15
  • You should [edit] the question and put details like this in the text of the question. Tell us what you want to do, show what you have tried, and show the results. –  Feb 28 '19 at 17:17
  • At any rate, this is probably a duplicate of https://stackoverflow.com/q/2159724/1531971 (among others). –  Feb 28 '19 at 17:18
  • OWASP says "Applying context-sensitive encoding when modifying the browser document on the client side acts against DOM XSS" and "Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities". So Escaping and Encoding techniques are used to prevent XSS. But how to differentiate between them? Another website says that Escaping is a subset of Encoding. I'm just confused between the two when it comes to XSS. – user3888349 Feb 28 '19 at 17:19
  • It's just nomenclature. The idea is that you strip user-input in a manner that disallows dangerous chars that could result in a crafted attack. For HTML and Javascript, this means encoding certain chars as their HTML entities (as the SO editor does, for example). This is different from URL-encoding which is intended to allow arbitrary data in a URL that could break how those URLs are consumed. –  Feb 28 '19 at 17:22
  • Thanks man, appreciate it :) – user3888349 Feb 28 '19 at 17:24

0 Answers0