In my JS application, I have to protect against the first 2 rules mentioned in the OWASP Anti XSS cheatsheet:
Rule1:
<body>
...ENCODE UNTRUSTED DATA BEFORE PUTTING HERE...
</body>
Rule 2
<div attr="...ENCODE UNTRUSTED DATA BEFORE PUTTING HERE...">content
According to the guide, for rule 1, the following characters &'"<> should be encoded.
So if I have the following encoding function, this should be sufficent no?
.replace(/&/g, '&')
.replace(/'/g, ''')
.replace(/"/g, '"')
.replace(/</g, '<')
.replace(/>/g, '>')
Can I use this encoding to protect the app in these 2 cases (even though for rule 2, only the quotes should be sufficent right?)?