Cross-site Scripting at EE

I am writing a web application in JSP that will accept input from users. I am trying to make it as secure as possible. I read this page  
http://support.microsoft.com/default.aspx?scid=kb;en-us;252985       
They recommend filtering or encoding the following special characters  
< > " ' % ; ) ( & + -    
So I thought I would see what EE does here. So, I will look at the source code for this page and record my findings in my next comment.     rrz
!!!!!!!!!!!!< > " ' % ; ) ( & + -!!!!!!!!!!!!
LVL 28
rrzAsked:
Who is Participating?
 
ahoffmannConnect With a Mentor Commented:
encoding & is not that bad, but currently not necessary if you encode the others properly *and* you only use tag attribute enclosed in " or ' (which is the w3c recomendation anyway:)
0
 
rrzAuthor Commented:
I looked at the source code for this page and for this line
< > " ' % ; ) ( & + -      
the source code looks like this      
&lt; &gt; &quot; ' % ; ) ( &amp; + -    

If anybody has any comments, then please post them. I presume EE's security is adequate.     rrz
0
 
ahoffmannCommented:
EE is XSS save, mainly ;-)
you have to do a proper input data validation and then a proper output data validation where you replace special characters like " < > and ' by their HTML entities. That's it.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
rrzAuthor Commented:
ahoffmann, thank you for your time.   So, you recommend to encode  " <> and '    where as  EE  encodes  " <> &    
I wonder why the page I linked to also recommends replacing ; ) ( + -
0
 
rrzAuthor Commented:
Oh, I see now you wrote
like " < > and '
0
 
rrzAuthor Commented:
Thanks for your comments.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.