In my JS application, I have to protect against the first 2 rules mentioned in the OWASP Anti XSS cheatsheet:
<body> ...ENCODE UNTRUSTED DATA BEFORE PUTTING HERE... </body>
<div attr="...ENCODE UNTRUSTED DATA BEFORE PUTTING HERE...">content
According to the guide, for rule 1, the following characters &'"<> should be encoded.
So if I have the following encoding function, this should be sufficent no?
.replace(/&/g, '&') .replace(/'/g, ''') .replace(/"/g, '"') .replace(/</g, '<') .replace(/>/g, '>')
Can I use this encoding to protect the app in these 2 cases (even though for rule 2, only the quotes should be sufficent right?)?