[Esapi-dev] XSS: Filter vs Encode?

Kevin W. Wall kevin.w.wall at gmail.com
Sun Dec 11 00:20:12 EST 2011


On Dec 10, 2011 11:56 PM, "Jeffrey Walton" <noloader at gmail.com> wrote:
>
> According to ASP.net and their tutorials (and at least one book I've
> looked at), data is inserted into the database unfiltered but later
> encoded to counter XSS.
>
> I'm not sure I agree with inserting contaminated data into the
> database. I think there's a potential for abuse: for example, suppose
> a page is later added which omits encoding.
>
> What is the preferred method of sanitizing input?

Jeff,
This is the so-called persistant XSS case.

When possible, you should always validate input. But that
is not always possible. Sometimes a 3rd party app may
be collecting input into the DB. Sometimes you need to
collect general input for comments or whatever & are
required to accept ALL input characters. Whatever the
reason, that's why you filter the output by properly
encoding it.

So, in a nutshell, do BOTH when possible. When not, at
least escape the output for the appropriate context.

-kevin
--
Sent from my DroidX; please excuse typos.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20111211/13acb37d/attachment.html 


More information about the Esapi-dev mailing list