[Esapi-dev] XSS: Filter vs Encode?
Kevin W. Wall
kevin.w.wall at gmail.com
Sun Dec 11 00:20:12 EST 2011
On Dec 10, 2011 11:56 PM, "Jeffrey Walton" <noloader at gmail.com> wrote:
> According to ASP.net and their tutorials (and at least one book I've
> looked at), data is inserted into the database unfiltered but later
> encoded to counter XSS.
> I'm not sure I agree with inserting contaminated data into the
> database. I think there's a potential for abuse: for example, suppose
> a page is later added which omits encoding.
> What is the preferred method of sanitizing input?
This is the so-called persistant XSS case.
When possible, you should always validate input. But that
is not always possible. Sometimes a 3rd party app may
be collecting input into the DB. Sometimes you need to
collect general input for comments or whatever & are
required to accept ALL input characters. Whatever the
reason, that's why you filter the output by properly
So, in a nutshell, do BOTH when possible. When not, at
least escape the output for the appropriate context.
Sent from my DroidX; please excuse typos.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Esapi-dev