Cross Site Scripting
Description
Cross Site Scripting (XSS) is an attack which exploits a web application or system to treat user input as markup or script code. It is important to encode the data depending on the specific context it is used in. There are at least six context types:
- Inside HTML tags
<div>context 1</div> - Inside attributes:
<div class="context 2"></div> - Inside event attributes
<button onclick="context 3">button</button> - Inside script blocks:
<script>var x = "context 4"</script> - Unsafe element HTML assignment:
element.innerHTML = "context 5" - Inside URLs:
<iframe src="context 6"></iframe><a href="context 6">link</a>
Script blocks alone can be encoded in multiple ways. Exercise caution if user input must be written outside script tags.
Remediation
User input displayed in the application must be encoded, sanitized, or validated
so it isn’t treated as HTML or executed as JavaScript code. Be careful not to
mix server-side templating with client-side templating, because the server-side doesn’t encode
text like {{ 7*7 }}, which might execute client-side features.
Do not encode user input before inserting it into a data store. The data must be encoded based on its output context. It is much safer to force the displaying system to handle the encoding.
Consider using built-in framework capabilities for automatically encoding user input. If you can’t automatically encode input, be careful to use the proper output encoding. The following recommendations are a best effort, and might not work in all circumstances.
Encode the following inside HTML tags, excluding
script:<to<>to>'to'"to"=to=
Encode the following inside attributes, excluding event attributes:
<to<>to>'to'"to"=to=
Encode the following inside event attributes, script blocks, and unsafe HTML assignment:
- Literal tab (
\t) to\\t - Literal new line (
\n) to\\n - Literal vertical tab (
\v) to\u000b - Literal form feed (
\f) to\\f - Literal carriage return (
\r) to\\r - Literal equal sign (
=) to\u0061 - Literal back tick (
\) to\u0060 - Literal double quote (
") to\u0022 - Literal ampersand (
&) to\u0026 - Literal single quote (
') to\u0027 - Literal plus symbol (
+) to\u002b - Literal forward slash (
/) to\/ - Literal less than symbol (
<) to\u003c - Literal greater than symbol (
>) to\u003e - Literal open parenthesis (
() to\u0028 - Literal close parenthesis (
)) to\u0029 - Literal open bracket (
[) to\u005b - Literal close bracket (
]) to\u005d - Literal open brace (
{) to\u007b - Literal close brace (
}) to\u007d - Literal back slash (
\) to\\
This list is not exhaustive. You might need to encode additional characters depending on context.
- Literal tab (
Inside URLs:
- Never allow user input to be printed in URLs. Attackers could inject
javascript:...code or malicious links.
- Never allow user input to be printed in URLs. Attackers could inject
Details
| ID | Aggregated | CWE | Type | Risk |
|---|---|---|---|---|
| 79.1 | false | 79 | Active | high |
Links
Docs
Edit this page to fix an error or add an improvement in a merge request.
Create an issue to suggest an improvement to this page.
Product
Create an issue if there's something you don't like about this feature.
Propose functionality by submitting a feature request.
Feature availability and product trials
View pricing to see all GitLab tiers and features, or to upgrade.
Try GitLab for free with access to all features for 30 days.
Get help
If you didn't find what you were looking for, search the docs.
If you want help with something specific and could use community support, post on the GitLab forum.
For problems setting up or using this feature (depending on your GitLab subscription).
Request support