Output Encoding
Output encoding is coding methods to sanitize output created from user input.
- use context-appropriate encoding to prevent the execution of malicious code
- replaces dangerous characters with encoded formats
- is a defensive technique that assumes input validation:
- may have failed
- might not have been possible to sanitize input
- In that context, the application needs a reliable way of distinguishing between:
- code to execute
- and data to process
- mitigates against injection and XSS attacks that use input to run a script
- Use a secure, trusted encoding library
- don’t manually encode
Example
- if a function updates a web page based on client input, when constructing the HTML string to send to the browser, potentially unsafe characters received as input parameters should be encoded as HTML entities
- unsafe characters: returns, escape, delimiters, etc.
- input will be displayed to user as text and not executed as a script
Types
- HTML Encoding
- URL Encoding
Common Encodings
| Original Value | HTML Encoding | URL Encoding |
|---|---|---|
< | < | %3c |
> | > | %3e |
' | ' | %27 |
" | " | %28 |
/ | / | %2f |
& | & | %26 |
% | % | %25 |