Browse By

HTML Sanitization – Keeping website safe by prevent malicious attacks

HTML sanitization is the process of examining an HTML document and producing a new HTML document that preserves only whatever tags are designated “safe” and desired. HTML sanitization can be used to protect against cross-site scripting (XSS) attacks by sanitizing any HTML code submitted by a user. Source – Wikipedia

There are various types of sanitization depending upon different contexts.

HTML Context

In an HTML context, data is written into an HTML page as part of the content, for example inside a <p> tag.

Attribute Context

In attribute context, user data is included as the attribute value of an HTML tag.

Attribute Context

In attribute context, user data is included as the attribute value of an HTML tag.  For event handling attributes like onmouseover, onclick, onfocus, onblur or similar, you need to be more careful. The best advice is to never ever put input data directly into an event handler.

URL Context

A special case of the attribute context is URL context. The value of the href and src attributes of various elements are URLs and need to be treated as such.

JavaScript Context

If input data needs to be written out in a JavaScript context, i.e., within <script> tags or in a file served as the src attribute of a <script> tag, the data should be JSON encoded.

CSS Context

Internet Explorer is the only major browser around that allows script execution within CSS using the expression syntax (deprecated and no longer supported in IE8 and later).

For further examples and more detailed information visit to Smashing Magazine.

Latest Posts