20 lines
916 B
Plaintext
20 lines
916 B
Plaintext
== Encoding Best Practices
|
|
* Not as easy as it may seem
|
|
** Web 2.0 apps (social networks, mashups, blogs, feeds, etc.)
|
|
** HTML encoding, HTML attribute encoding, JavaScript encoding, URL encoding, …
|
|
* Use a proven and tested framework
|
|
** The OWASP AntiSamy project (Java & .NET)
|
|
*** Very useful in social applications where HTML content is allowed as input from users
|
|
*** http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
|
|
** The OWASP ESAPI (Java, .NET, PHP, Classic ASP, Cold Fusion, Haskell)
|
|
*** https://www.owasp.org/index.php/ESAPI
|
|
** HTMLPurifier (PHP)
|
|
*** http://htmlpurifier.org/
|
|
** Anti-XSS Library from Microsoft
|
|
*** Designed specifically for ASP.NET applications
|
|
*** http://www.codeplex.com/AntiXSS
|
|
* Some light reading:
|
|
** http://www.owasp.org/index.php/How_to_perform_HTML_entity_encoding_in_Java
|
|
** https://www.owasp.org/index.php?title=XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
|
|
|