11 March 2010

Input Validation and Output Encoding

Input validation and output encoding are key aspects of web application security. This morning I've just been using a data search on a website and came across this when no results were found:

Partial screen capture from a website's data search form with 'escape(escape())' appearing adjacent to one of the search criteria labels

I imagine "escape(escape())" is some attempt at preventing cross-site scripting (XSS), but implemented correctly. Interestingly, when search results are found there are several "-->" appearing. Another indicator of output encoding problems.

Partial screen capture from a website's data search form with several '-->' displayed beside the search criteria details

It doesn't have to be difficult - read the OWASP XSS Prevention Cheat Sheet.

Posted on: 11 March 2010 at 11:00 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Input Validation and Output Encoding
http://www.clerkendweller.com/2010/3/11/Input-Validation-and-Output-Encoding
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2010/3/11/Input-Validation-and-Output-Encoding
Requested by 38.107.179.224 on Saturday, 4 February 2012 at 21:01 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2010-2012 clerkendweller.com