xss prevention techniques

dl padmavathi
3 min readJun 15, 2020

html encoding: HTML encoding can be used for xss protection if we keep untrusted data inside html tags such as <div> but it will not work for the untrusted data put inside <script> tags or in links such as <img src=javascript: ….> or <a href=javascript:…..>. For such things we need to use HTML escaping.

Blacklists are fragile, whitelisting are designed to provide protection against such vulnerabilities if any future vulnerabilities are introduced by the server.

Rule 0:

Never put untrusted data in the allowed locations.

  • Inside a script tag.
  • Inside a html comment.
  • Inside an attribute name.
  • In a tag name.
  • Inside a CSS style.
  • There are some parameters such as callback where any amount of escaping will not fix, for such parameters do not accept untrusted javascript code and run it.

Rule 1:

Escape the input data before inserting into the html element content. Escape it by using html encoding.

Rule 2:

Escape the input data before inserting into an attribute like width, name or value. But should not be used for complex attributes href, src, style or any event handlers like onmouseover. use encoding as &#xHH for any characters other than alphanumeric. Developers should always use quoted attributes to escape them correctly.

Rule 3:

This rule is for data put to script tags and also event handler. The untrusted data has to be put into the quotes. Even if some of the characters are escaped there are some javascript functions which are xssed after escaping also. Escape them by using \xHH format. Don’t use shortcut escaping characters like \” because they are susceptible to escape the escape characters.

The </script> tag present inside the quotes will be closed because the html will be parsed before the html parser.

Rule 4:

Escape the css style property. Do not allow URL start with javascript instead of http

Rule 5:

URL values should be escaped correctly before inserting in url’s such as href or img src. Use %HH format escaping.

Rule 6:

Sanitize html based on the library designed for the job.

Rule 7:

Avoid using javascript url’s.

Bonus rule 1:

Use HTTPonly flag on data such as session cookies or any other secret data where they shouldn't be accessed by javascript.

Bonus rule 2:

Implement Content Security Policy to restrict things like from which website the scripts should be loaded.

Bonus rule 3:

Use an Auto-Escaping Template System.

Bonus rule 4:

Include X-XSS Protection header in the response. This is enabled by default in the browser. But if the user disables it it will be enabled back again with this header.

Bonus rule 5:

Use modern JS frameworks like ReactJs and Angular.

<a href="<%=encoder.encodeForHTMLAttribute(userURL)%>">link</a>
Use language based escaping such as HTML sanitizer and also DOM Purify or python bleach

Output encoding

Use HTML Entity Encoding , HTML Attribute Encoding, URL Encoding, Javascript Encoding and CSS Hex Encoding.


Rule 1: HTML escape and then JS escape. Many default escaping functions are present.

element.innerHTML = "<%=Encoder.encodeForJS(Encoder.encodeForHTML(untrustedData))%>";element.outerHTML="<%=Encoder.encodeForJS(Encoder.encodeForHTML(untrustedData))%>";document.write("<%=Encoder.encodeForJS(Encoder.encodeForHTML((untrustedData))%>");document.writeIn("<%=Encoder.encodeForJS(Encoder.encodeForHTML((untrustedData))%>");

Rule 2: Javascript encoding for some of the attributes, because inputs such as & have to displayed in the html context.

Rule 3: Javascript encoding before accepting input to attributes.

Rule 4: Javascript encoding of URL encoded if inserting into css attributes.

Rule 5: Same above rule 4 for href or img src url’s.

Rule 6: Populate the data using safe functions or properties.

Rule 7: Fixing DOM side vulnerabilties:



dl padmavathi

I go by Padma. I am a security enthusiast. This blog contains security related and some general stuff. E-mail:pduggire@gmu.edu