XSS (Cross Site Scripting) Prevention Cheat Sheet

[Nytro]

[h=1]XSS (Cross Site Scripting) Prevention Cheat Sheet[/h]

[h=2]Contents[/h] [hide]

• 1 Introduction
  
  • 1.1 A Positive XSS Prevention Model
    
  • 1.2 Why Can't I Just HTML Entity Encode Untrusted Data?
    
  • 1.3 You Need a Security Encoding Library
    

  [*]2 XSS Prevention Rules

  • 2.1 RULE #0 - Never Insert Untrusted Data Except in Allowed Locations
    
  • 2.2 RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content
    
  • 2.3 RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
    
  • 2.4 RULE #3 - JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values
    
    • 2.4.1 RULE #3.1 - HTML escape JSON values in an HTML context and read the data with JSON.parse
      

    [*]2.5 RULE #4 - CSS Escape And Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values

    [*]2.6 RULE #5 - URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values

    [*]2.7 RULE #6 - Use an HTML Policy engine to validate or clean user-driven HTML in an outbound way

    [*]2.8 RULE #7 - Prevent DOM-based XSS

    [*]2.9 Bonus Rule: Use HTTPOnly cookie flag

  [*]3 XSS Prevention Rules Summary

  [*]4 Output Encoding Rules Summary

  [*]5 Related Articles

  [*]6 Authors and Primary Editors

  [*]7 Other Cheatsheets

Link:

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet