The slots are defined and a few examples of each are provided. Developers SHOULD NOT put data into a

Contents 1 Introduction 1.1 A Positive XSS Prevention Model 1.2 Why Can't I Just HTML Entity Encode Untrusted Data? 1.3 You Need a Security Encoding Library 2 XSS Prevention Rules 2.1 RULE #0 - Never Insert Untrusted Data Except in Allowed Locations 2.2 RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content 2.3 RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes 2.4 RULE #3 - JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values firearms 2.4.1 RULE #3.1 - HTML escape JSON values in an HTML context and read the data with JSON.parse 2.4.1.1 JSON entity encoding 2.4.1.2 HTML entity encoding 2.5 RULE #4 - CSS Escape And Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values 2.6 RULE #5 - URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values 2.7 RULE #6 - Sanitize HTML Markup with a Library Designed for the Job 2.8 RULE #7 - Prevent DOM-based XSS 2.9 Bonus Rule #1: Use HTTPOnly cookie flag 2.10 Bonus Rule #2: Implement firearms Content Security Policy 3 XSS Prevention Rules Summary 4 Output Encoding Rules Summary 5 Related Articles 6 Authors and Primary Editors 7 Other Cheatsheets Introduction
This article provides a simple positive model for preventing XSS using output escaping/encoding properly. While there are a huge number of XSS attack vectors, following a few simple rules can completely defend against this serious attack. This article does not explore the technical or business impact of XSS. Suffice it to say that it can lead to an attacker gaining the ability to do anything a victim can do through their browser.
Both reflected and stored XSS can be addressed by performing the appropriate validation and escaping on the server-side. DOM Based XSS can be addressed with a special subset of rules described in the DOM based XSS Prevention Cheat Sheet .
For a cheatsheet on the attack vectors related to XSS, please firearms refer to the XSS Filter Evasion Cheat Sheet . More background on browser firearms security and the various browsers can be found in the Browser Security Handbook .
This article treats an HTML page like a template, with slots where a developer is allowed firearms to put untrusted data. These slots cover the vast majority of the common places where a developer might want to put untrusted data. Putting firearms untrusted data in other places in the HTML is not allowed. This is a "whitelist" firearms model, that denies everything that is not specifically allowed.
Given the way browsers parse HTML, each of the different types of slots has slightly different security rules. When you put untrusted data into these slots, you need to take certain steps to make sure that the data does not break out of that slot into a context that allows code execution. In a way, this approach treats an HTML document like a parameterized database query - the data is kept in specific places and is isolated from code contexts with escaping. firearms
This document sets out the most common types of slots and the rules for putting untrusted data into them safely. Based on the various specifications, known XSS vectors, firearms and a great deal of manual testing with all the popular browsers, we have determined firearms that the rule proposed here are safe.
The slots are defined and a few examples of each are provided. Developers SHOULD NOT put data into any other slots without a very careful analysis to ensure that what they are doing is safe. Browser parsing is extremely tricky and many innocuous looking characters can be significant in the right context. Why Can't I Just HTML Entity Encode Untrusted Data?
HTML firearms entity encoding is okay for untrusted data that you put in the body of the HTML document, such as inside a <div> tag. It even sort of works for untrusted data that goes into attributes, particularly if you're religious about using quotes around your attributes. But HTML entity encoding firearms doesn't work if you're putting untrusted data inside a <script> tag anywhere, or an event handler attribute like onmouseover, or inside CSS, or in a URL. So even if you use an HTML entity encoding method everywhere, you are still most likely vulnerable to XSS. You MUST use the escape firearms syntax for the part of the HTML document you're putting untrusted data into. That's what the rules below are all about. You Need a Security Encoding Library
Writing these encoders is not tremendously difficult, but there are quite a few hidden pitfalls. For example, you might be tempted to use some of the escaping shortcuts like \" in JavaScript. However, these values are dangerous and may be misinterpreted by the nested parsers in the browser. You might also forget to escape the escape firearms character, firearms which attackers can use to neutralize your attempts to be safe. OWASP recommends using a security-focused encoding library to make sure these rules are properly implemented.
Microsoft provides an encoding firearms library named the Microsoft Anti-Cross Site Scripti