-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathXSS.qhelp
More file actions
41 lines (29 loc) · 1.03 KB
/
XSS.qhelp
File metadata and controls
41 lines (29 loc) · 1.03 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>Directly writing user input (for example, an HTTP request parameter) to a webpage,
without properly sanitizing the input first, allows for a cross-site scripting vulnerability.</p>
</overview>
<recommendation>
<p>To guard against cross-site scripting, consider using contextual output encoding/escaping before
writing user input to the page, or one of the other solutions that are mentioned in the
references.</p>
</recommendation>
<example>
<p>The following example shows the page parameter being written directly to the server error page,
leaving the website vulnerable to cross-site scripting.</p>
<sample src="XSS.cs" />
</example>
<references>
<li>
OWASP:
<a href="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html">XSS
(Cross Site Scripting) Prevention Cheat Sheet</a>.
</li>
<li>
Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
</li>
</references>
</qhelp>