XSS Experimental Minimal Encoding Rules - OWASP
This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit
XSS Experimental Minimal Encoding Rules
From OWASP
Jump to:
The following examples demonstrate experimental minimal encoding rules for XSS prevention.
Context
Code Sample
Rules
JavaScript, quoted string in a script block
Use these escapes: \\ \r \n \b \t \f \' \" \/
For any other character in range 0..0x19, use hex escapes
If using non-Unicode charset, any character above 0x7e, use '\u' encoding
JavaScript, quoted string in an event handler attribute
onclick="alert('<%=
UNTRUSTED DATA
%>')";
Use these escapes: \\ \r \n \b \t \f
Use hex escapes for these characters: ' " &
For any other character in range 0..0x19, use hex escapes
If using non-Unicode charset, any character above 0x7e, use '\u' encoding
HTML Body (up to HTML 4.01):
UNTRUSTED DATA
%>
HTML Entity encode < &
specify charset in metatag to avoid UTF7 XSS
HTML Body:
UNTRUSTED DATA
%>
HTML Entity encode < & >
limit input to charset
Retrieved from "
Navigation menu
Personal tools
Request account
Namespaces
Page
Discussion
Variants
Views
Read
View source
View history
More
About OWASP
Acknowledgements
Advertising
Books
Brand Resources
Careers
Chapters
Downloads
Events
Funding
Governance
Initiatives
Mailing Lists
Merchandise
Presentations
Press
Projects
Supporting Partners
Video
Reference
Activities
Attacks
Code Snippets
Controls
Glossary
How To...
Java Project
.NET Project
Principles
Technologies
Threat Agents
Vulnerabilities
Tools
What links here
Related changes
Special pages
Printable version
Permanent link
Page information
This page was last modified on 16 September 2012, at 17:46.
Content is available under
Creative Commons Attribution-ShareAlike
unless otherwise noted.
About OWASP
Disclaimers
Open Web Application Security Project, OWASP, Global AppSec, AppSec Days, AppSec California, SnowFROC, LASCON, and the OWASP logo are trademarks of the OWASP Foundation.