How do I HTML Encode all the output in a web application?

Question

I want to prevent XSS attacks in my web application. I found that HTML Encoding the output can really prevent XSS attacks. Now the problem is that how do I HTML encode every

Answer 1

If you do actually HTML encode every single output, the user will see plain text of <html> instead of a functioning web app.

EDIT: If you HTML encode every single input, you'll have problem accepting external password containing < etc..

Answer 2

Output encoding is by far the best defense. Validating input is great for many reasons, but not 100% defense. If a database becomes infected with XSS via attack (i.e. ASPROX), mistake, or maliciousness input validation does nothing. Output encoding will still work.

Answer 3

A nice way I used to escape all user input is by writing a modifier for smarty wich escapes all variables passed to the template; except for the ones that have |unescape attached to it. That way you only give HTML access to the elements you explicitly give access to.

I don't have that modifier any more; but about the same version can be found here:

http://www.madcat.nl/martijn/archives/16-Using-smarty-to-prevent-HTML-injection..html

In the new Django 1.0 release this works exactly the same way, jay :)

Answer 4

The only way to truly protect yourself against this sort of attack is to rigorously filter all of the input that you accept, specifically (although not exclusively) from the public areas of your application. I would recommend that you take a look at Daniel Morris's PHP Filtering Class (a complete solution) and also the Zend_Filter package (a collection of classes you can use to build your own filter).

PHP is my language of choice when it comes to web development, so apologies for the bias in my answer.

Kieran.

Answer 5

For JSPs, you can have your cake and eat it too, with the c:out tag, which escapes XML by default. This means you can bind to your properties as raw elements:

<input name="someName.someProperty" value="<c:out value='${someName.someProperty}' />" />

When bound to a string, someName.someProperty will contain the XML input, but when being output to the page, it will be automatically escaped to provide the XML entities. This is particularly useful for links for page validation.

Answer 6

My personal preference is to diligently encode anything that's coming from the database, business layer or from the user.

In ASP.Net this is done by using Server.HtmlEncode(string) .

The reason so encode anything is that even properties which you might assume to be boolean or numeric could contain malicious code (For example, checkbox values, if they're done improperly could be coming back as strings. If you're not encoding them before sending the output to the user, then you've got a vulnerability).