I want to escape for XSS in an HTML context, and so far I treat the <, >, and " characters.
Apparently it is recommended to escape the ampersand as well, but why? (Other than for keeping the HTML valid, let's assume that this is not an issue)
So what I am asking is:
When I escape <, > and ", can someone demonstrate how the ampersand can still allow an XSS attack in an HTML context?
Cheers!
You should really take a look at the OWASP XSS Prevention Cheat Sheet.
You should escape & because it can be used to circumvent other defenses. Consider this code:
<button onclick="confirm('Do you really want to delete <%= data_from_user; %> ?'">Delete</button>
To defend against XSS inside the onclick event handler, the developer escapes ', ", < and > in data_from_user and thinks everything is ok. The problem is that if the attacker types ' which passes the escaping, but ends up allowing the attacker to run javascript.
Example here: http://erlend.oftedal.no/blog/?blogid=124
you use & to concatenate params in the URL:
Reflected XXS:
Script code is injected in the URL which the webpage reflects to victims
http://mybank.com/page?message= < script src = “evil _script.js” />
来源:https://stackoverflow.com/questions/9124134/cross-site-scripting-xss-do-i-need-to-escape-the-ampersand