Avoid XSS with an HTML tag, for example <pre class = "prettyprint-override">

Question

Avoid XSS with an HTML tag, for example <pre class = "prettyprint-override">

I have a simple web page that takes request elements and processes them on the page. Example URL:

http://quir.li/player.html?media=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D0VqTwnAuHws

Then the page has a URL displayed somewhere on the page:

 <span id="sourceUrlDisplay">http://www.youtube.com/watch?v=0VqTwnAuHws</span>

I feel this makes the page vulnerable to XSS if the page loads with a URL containing something similar to

 http://quir.li/player.html?media=<script>alert('test')</script>

I found that rendering the url into a <pre> does not help. Is there a simple solution for this, for example, an HTML tag whose contents are not really interpreted, but simply printed?

Note. This question is somewhat similar to this, but more general.

+7

html tags xss pre

Marcel Jan 4 '13 at 13:38

source share

2 answers

You should avoid special HTML characters to remove their special meaning. For example, in PHP, the htmlspecialchars() function is intended for such screening.

+1

Marat tanalin Jan 4 '13 at 13:44

source share

Jjj · Accepted Answer · 2013-01-04T13:45:09+0000

No, in HTML there is no tag that would prevent XSS attacks, and this cannot be done. Suppose there was such a tag, say, <safe> . An attacker only needs to close it: </safe><script> malicious code </script><safe> .

The ways to stop XSS in this particular case are to dump special characters in their URLs to encode URLs, so http://quir.li/player.html?media=<script>alert('test')</script> becomes http://quir.li/player.html?media=%3Cscript%3Ealert('test')%3C%2Fscript%3E .

Avoid XSS with an HTML tag, for example <pre class = "prettyprint-override">

More articles: