Company logo
  • Jobs
  • Bootcamp
  • About Us
  • For professionals
    • Home
    • Jobs
    • Courses
    • Questions
    • Teachers
    • Bootcamp
  • For business
    • Home
    • Our process
    • Plans
    • Assessments
    • Payroll
    • Blog
    • Calculator

0

79
Views
Can the same encoding be used for HTML attribute and content sanitization?

In my JS application, I have to protect against the first 2 rules mentioned in the OWASP Anti XSS cheatsheet:

Rule1:

<body>
...ENCODE UNTRUSTED DATA BEFORE PUTTING HERE...
</body>

Rule 2

<div attr="...ENCODE UNTRUSTED DATA BEFORE PUTTING HERE...">content

According to the guide, for rule 1, the following characters &'"<> should be encoded.

So if I have the following encoding function, this should be sufficent no?

 .replace(/&/g, '&amp;')
 .replace(/'/g, '&apos;')
 .replace(/"/g, '&quot;')
 .replace(/</g, '&lt;')
 .replace(/>/g, '&gt;')

Can I use this encoding to protect the app in these 2 cases (even though for rule 2, only the quotes should be sufficent right?)?

7 months ago · Juan Pablo Isaza
Answer question
Find remote jobs

Discover the new way to find a job!

Top jobs
Top job categories
Business
Post job Plans Our process Sales
Legal
Terms and conditions Privacy policy
© 2023 PeakU Inc. All Rights Reserved.