- Strictly implement standard ASCII or Unicode character encoding techniques to prevent injection attacks
- Sanitize rejected data and don’t store erroneous log data in applications
- Create rules for maximum length and usage of special characters for inputs from external sources
- Use HTML encoding and URL encoding for user inputs to restrict script injection attacks from running in the browser
- Use compatible encodings on both sides of a communication channel to eliminate risks of data corruption
- Create rules for data validation by listing input characters from strongest to weakest such as:
– Limit exact matches
– Accept desirable known
– Reject known undesirables
– Sanitize known undesirable matches
Cross-site Scripting (XSS) Countermeasures
- Use HTML and URL encoding to ensure all the input values are validated before being echoed back to the user
- Take necessary precautions while using dynamic environments that execute script and retrieve data
- Configure the web browser to disable scripting
- Use filter techniques that store and process input variables on the server
- Use properly designed error handling mechanisms for reporting input errors
- Implement character encoding techniques for web pages such as ISO-8859-1 or UTF-8
Cheng® 