XSS Defense by Data Type and Context
HTML Entity Encode/HTML Attribute
Encoder
String Encoding
Hex Encoding
Parameter
javascript: URL’s, Attribute encoding,
structural validation, CSS Hex encoding, good design
Body
JSoup, AntiSamy, HTML Sanitizer)
Cheat sheet
time
() or json2.js
Safe HTML Attributes include: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color,
cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple,
nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary,
tabindex, title, usemap, valign, value, vlink, vspace, width