All geek questions in one place

Why does HTML coding prevent certain XSS attacks?

I read that you encode HTML on the way back from server to client (I think?) And this will prevent many types of XSS attacks. However, I don’t understand at all. Will HTML still be consumed and displayed by the browser?

How does it stop?

I read about it in several places, on websites and in books, and nowhere does he explain why this works.

+6
source share
2 answers

Think about it: what does encoded HTML look like? For example, it might look like this:

<a href="www.stackoverflow.com">

Thus, it will be displayed on the client as literals (as <a href = "www.stackoverflow.com">), and not as HTML. This means that you will not see the actual link, but the code itself.

XSS attacks work on the basis that someone can force the browser browser to parse HTML code that the site provider was not going to do there; if the above was not encoded, this would mean that the provided link would be embedded in the site, although the site provider did not want this.

XSS, of course, is a bit more complicated than that, and usually includes JavaScript (which means Cross Site Scripting ), but for demo purposes this simple example should be sufficient; this is the same with JavaScript code as it is with simple HTML tags, since XSS is a special case of more general HTML insertion.

+10
source

HTML coding turns the <div> into &lt;div&gt; , which means that any HTML markup will be displayed on the page as text, and not run as HTML markup.

The main objects that have been converted are:

  • & to &amp;
  • < to &lt;
  • > to &gt;
  • " to &quot;

OWASP recommends encoding some additional characters :

  • ' to &#x27;
  • / to &#x2F;

These encodings are how you textually represent characters that would otherwise be used as markup. If you want to write a<b , you need to be careful that <b not treated as an HTML element. If you use a&lt;b , the text that will be displayed to the user will be a<b .

+1
source

Source: https://habr.com/ru/post/903590/

More articles:


All Articles