Java - XSS - HTML encoding - reference of a character entity compared to a reference to a numerical object

Question

Java - XSS - HTML encoding - reference of a character entity compared to a reference to a numerical object

We searched for ways to encode HTML pages on JSP pages to support XSS.

OWASP site shows How_to_perform_HTML_entity_encoding_in_Java

The article talks about the entity encoding "Big 5" ie

  21          {"#39", new Integer(39)}, // ' - apostrophe
  22          {"quot", new Integer(34)}, // " - double-quote
  23          {"amp", new Integer(38)}, // & - ampersand
  24          {"lt", new Integer(60)}, // < - less-than
  25          {"gt", new Integer(62)}, // > - greater-than

i.e.

<script>

encoded as

  &lt;script&gt;

but the Java code sample included in the article uses numerical reference encoding ie

<script></script>

encoded as

 &#60;script&#62;&#60;&#47;script&#62;

Is there a reason to use character references over entity references? Which is better and why?

+3

java html encoding xss

nzpcmad Mar 05 '10 at 1:35

source share

1 answer

Laurence Gonsalves · Accepted Answer · 2010-03-05T02:00:45+0000

This is the same as XSS protection. The only real practical differences are readability and size.

Java - XSS - HTML encoding - reference of a character entity compared to a reference to a numerical object

More articles: