In the last year the majority of security breaches in websites are related to XSS attacks. So it is very important to build websites keeping in mind a few rules to avoid beeing hacked. Also always handle data as beeing untrusted and consider it harmful. Only after careful sanitization you should start to begin trusting it.
The XSS (Cross Site Scripting) Prevention Cheat Sheet has a number of rules in order to prevent XSS (Cross Site Scripting) attacks. Among other things you should:
- 2.1 RULE #0 – Never Insert Untrusted Data Except in Allowed Locations
- 2.2 RULE #1 – HTML Escape Before Inserting Untrusted Data into HTML Element Content
- 2.3 RULE #2 – Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
- 2.4 RULE #3 – JavaScript Escape Before Inserting Untrusted Data into HTML JavaScript Data Values
- 2.5 RULE #4 – CSS Escape Before Inserting Untrusted Data into HTML Style Property Values
- 2.6 RULE #5 – URL Escape Before Inserting Untrusted Data into HTML URL Attributes
Hackers will find new ways to break websites so there are no guarantees, but obeying these rules will significantly decrease the chances of beeing hacked.
Laszlo Bodor
