Is escaping < and > sufficient to block XSS attacks?

javascript asp.net xss

34,409

Solution 1

When using an untrusted string in an attribute (quoted with ") you need to escape " as &quot.

Otherwise you could easily inject javascript. For example, <a href="{{str}}"> with str being, for example, " onmouseover='something-evil'".

Solution 2

Not all XSS attacks include < or > at all, depending on where the data is being inserted.

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#Why_Can.27t_I_Just_HTML_Entity_Encode_Untrusted_Data.3F

Solution 3

No. Here are a couple of examples where escaping <, >, ', " and & is not enough:

Example 1:

<a href="{{myUrl}}">

XSS Attack:

myUrl = "javascript:alert(1)"

Example 2:

<script>var page = {{myVar}};</script>

XSS Attack:

myVar = "1;alert(1)"

See https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet for ways of preventing these attacks.

Solution 4

No, it's not sufficient. Remember that XSS isn't just about untrusted data in HTML, you'll also find it in JavaScript and CSS. Think about a situation such as "var myVar = [input];" There are all sorts of malicious things you can do with that [input] value without going anywhere near angle brackets. There's many more examples over in the XSS cheat sheet: http://ha.ckers.org/xss.html

You've mentioned ASP.NET in the tag; what you want to be looking at is the [AntiXSS library][1]. Grab this and use the appropriate output encoding:

Encoder.CssEncode()
Encoder.HtmlEncode()
Encoder.HtmlAttributeEncode()
Encoder.JavaScriptEncode()

etc. etc. There's absolutely no reason to try and do your own character substitution in .NET.

View more solutions

34,409

Author by

M. Biolic

Updated on April 17, 2020

Comments

M. Biolic about 4 years

I'm sure that the answer to this question is No, but I can't seem to find a way that simply transforming < and > to < and > doesn't completely block reflected and persistent XSS.

I'm not talking about CSRF.

If this doesn't block XSS, can you provide an example of how to bypass this defence?
Marcel Korpel about 13 years

In the latter case, use URL encoding, not HTML entities; in that case, " becomes just %22.
ThiefMaster about 13 years

You can't just URL-encode a whole URL as this would also break query strings.
M. Biolic about 13 years

Ah, so escaping ", <, and > would block simple Response.Write(input) vulns, but if I had an existing script block or built DOM elements with straight user input, where < and > weren't necessary for the input to run, I'd still be vulnerable.
M. Biolic about 13 years

Thanks for the response and the link!
Troy Hunt almost 13 years

In this example, HTML output encoding is required or more specifically, HTML attribute output encoding. URL encoding is for strings appended to the URL such as query strings otherwise your href attribute ends up looking like "http%3a%2f%2fwww". In an example like this, Encoder.HtmlAttributeEncode from the AntiXSS library is what you're really looking for.
priomsrb almost 9 years

@michaelsnowden I used the {{ }} syntax in the examples, but any templating library can be vulnerable to these attacks