ESAPI SwingSet - Cross-Site Scripting (XSS)

All of the data on this page is passed through Django's automatic escaping routine, which escapes the 5 key XML characters. You can find the escaping routine for Django 1.2.1 here.

This 5 character escaping is very common in templating engines, but it doesn't provide provide full protection. Take a look at the CSS examples and examples without quotes.

RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content

Normal Element Content, common attacks are:

Inject down into script context by introducing a element
- <script>alert('xss1a')</script>
- <img src=1 onerror=alert('xss1b')>
Clear form

Source HTML: <span></span>

Rendered HTML:

RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes

Unquoted Attribute, common attacks are:

Inject up to another attribute using whitespace characters (ASCII 9, 10, 11, 12, 13, 32)
- dummy onmouseover=alert('xss2.1a')
Inject up to the containing HTML element with >
- dummy><script>alert('xss2.1b')</script>
Clear form

Source HTML: <span class=>test</span>

Rendered HTML: test

Quoted Attribute, common attacks are:

Inject up to another attribute with " or ' depending on what quotes were used
- dummy" onmouseover="alert('xss2.2a')
Inject up to the containing HTML element with ">
- "><script>alert('xss2.2b')</script><span class="
Clear form

Source HTML: <span class="">test</span>

Rendered HTML: test

RULE #3 - JavaScript Escape Before Inserting Untrusted Data into HTML JavaScript Data Values

Unquoted value, common attacks are: Note that JavaScript escaping can be \A (ascii) or \xHH (hex) or \OOO (octal)

Inject up to another attribute with ; | and many others
- 50; alert('xss3.1a')
Inject down with a JavaScript expression
- 50 + alert('xss3.1b')
Clear form

Source HTML: <img src="/img/favicon.ico" onload="var i=;">

Rendered HTML:

Quoted value, common attacks are: Note that JavaScript escaping can be \A (ascii) or \xHH (hex) or \OOO (octal)

Inject up to the JavaScript context with " or ' depending on what quotes were used
- dummy'; alert('xss3.2a'); var j='
Inject up to the containing HTML element with ">
- dummy'"><script>alert("xss3.2b")</script>"
Clear form

Source HTML: <img src="/img/favicon.ico" onload="var i=''">

Rendered HTML:

RULE #4 - CSS Escape Before Inserting Untrusted Data into HTML Style Property Values

Unquoted Style Attribute, common attacks are:

Inject up to another attribute using whitespace characters (ASCII 9, 10, 11, 12, 13, 32)
- dummy onmouseover=alert('xss4.1a')
Inject up to the containing HTML element with >
- dummy><script>alert('xss4.1b')</script>
Inject down using xss:expression
Clear form

Source HTML: <span style=>test</span>

Rendered HTML: test

Quoted Style Attribute, common attacks are:

Inject up to another attribute with " or ' depending on what quotes were used
- dummy" onmouseover="alert('xss4.2a')"
Inject up to the containing HTML element with ">
Inject down using xss:expression
Clear form

Source HTML: <span style="">test</span>

Rendered HTML: test

RULE #5 - URL Escape Before Inserting Untrusted Data into HTML URL Attributes

Unquoted URL attribute, common attacks are:

Inject up to another attribute using whitespace characters (ASCII 9, 10, 11, 12, 13, 32)
- dummy onmouseover=alert('xss5.1a')
Inject up to the containing HTML element with >
- dummy><script>alert('xss5.1b')</script>
Inject down with javascript: type URLs
Clear form

Source HTML: <a href=>test</a>

Rendered HTML: test

Quoted URL Attribute, common attacks are:

Inject up to another attribute with " or ' depending on what quotes were used
- dummy" onmouseover="alert('xss5.2a')"
Inject up to the containing HTML element with ">
- dummy"><script>alert('xss5.2b')</script><a href="
Inject down with javascript: type URLs
Clear form

Source HTML: <a href="">test</a>

Rendered HTML: test