[OWASP-Security101] Security Question - Cross Site Scripting [Stored]

Paul Cartmell paul at starcode.co.uk
Tue Mar 22 15:48:55 UTC 2016


Hi there



I'm looking for some clarification on a particular issue relating to Stored Cross Site Scripting.


To protect against this vulnerability I understand that untrusted content should be escaped to prevent execution within the client.


How should the data be stored within a database - escaped or unescaped?


It is my understanding that the data can be stored unescaped and as long as the content is escaped prior to client presentation, this is acceptable.


Whilst the data is potentially unsafe if stored unescaped, if all possible routes to the client are correctly handled, is the vulnerability mitigated?


Any input gratefully received...



Thanks


Paul.

Paul Cartmell
StarCode Software
m: 07843 017397
e: paul at starcode.co.uk<mailto:paul at starcode.co.uk>
w: www.starcode.co.uk<http://www.starcode.co.uk/>


More information about the Security101 mailing list