[thelist] [Server-side Security] stopping script / html injection

Lee Kowalkowski lee.kowalkowski at googlemail.com
Tue Jul 24 04:04:02 CDT 2007

On 24/07/07, Paul Bennett <Paul.Bennett at wcc.govt.nz> wrote:
> Hi all,
> I've been asked to loosen up security checks for part of a web application being released soon. My usual course of action is to set up a strict set of allowed characters and use a regex to check, then strip tags and escape the data before db insertion. Now I've been asked to allow as wide a scope of characters as possible but not allow any HTML or script.
> I've set up a generic function to check for  the following: <, >, &lt;, &gt; and reject the data if they're found.
> Is there any other way a l33t skr1pt k1dd13 could inject HTML / JS into my lovely code?

It depends how you render user input, not what user input you accept.
I personally think transforming user input on the way in is
short-sighted and will prevent you from re-purposing that input and
even knowing for sure what the user actually entered.  The escaping of
data for use in HTML is different to that being used on a URI or in
JavaScript or in SQL.

If you are rendering a piece of data (no matter what its origin) you
ought to be escaping accordingly.  If you're inserting data into a
HTML block (inside a <P> element for example), you'll need to escape <
and >.

If a user has entered &lt; or &gt; that shouldn't cause a problem, but
you might want it to render exactly like that therefore the ampersands
would need escaping too.

If you're inserting data into a HTML element's attribute, e.g. <input
... value="<%=value1%>"> - You'll need to escape double quotes (to
&quto;) to prevent the premature termination of that attribute's
value.  It would not be a bad idea to escape single quotes if you're
not sure that double quotes are being consistently used.

If you're inserting data into JavaScript (e.g. var username =
"<%=username%>"), you'll need to escape double quotes there too (but
with the backslash character) - unless they have already been
HTML-escaped because the intention is to insert it into the document.


More information about the thelist mailing list