Why does HTML encoding prevent certain XSS attacks?

前端未结

关注

 2  1276

半阙折子戏 2020-12-16 05:17

I have been reading that you HTML encode on the way back from the server to the client (I think?) and this will prevent many types of XSS attacks. However, I don\'t understa

2条回答

无人及你 (楼主)

2020-12-16 05:38
HTML encoding turns
into <div>, which means that any HTML markup will display on the page as text, rather than executed as HTML markup.

The basic entities that are converted are:
- & to &
- < to <
- > to >
- " to "
OWASP recommends encoding some additional characters:
- ' to '
- / to /
These encodings are how you textually represent characters that would otherwise be consumed as markup. If you wanted to write a you'd have to be careful that isn't treated like an HTML element. If you use a<b the text that will be displayed to the user will be a.
0 讨论(0) 查看其它2个回答发布评论: 提交评论加载中...