0

I'm inserting untrusted data into a href attribute of an tag.

Based on the OWASP XSS Prevention Cheat Sheet, I should URI encode the untrusted data before inserting it into the href attribute.

But would HTML encoding also prevent XSS in this case? I know that it's an URI context and therefore I should use URI encoding, but are there any security advantages of URI encoding over using HTML encoding in this case?

The browser will render the link properly in both cases as far as I know.

pineappleman
  • 849
  • 4
  • 8
  • 20

2 Answers2

2

I'm assuming this is Rule #5:

URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values

(Not rule #35.)

This is referring to individual parameter values:

 <a href="http://www.example.com?test=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">link</a >

URL and HTML encoding protect against different things.

URL encoding prevents a parameter breaking out of a URL parameter context:

e.g. ?firstname=john&lastname=smith&salary=20000

Say this is a back-end request made by an admin user. If john and smith aren't correctly URL encoded then a malicious front-end user might enter their name as john&salary=40000 which would render the URL as

?firstname=john&salary=40000&lastname=smith&salary=20000

and say the back-end application takes the first parameter value in the case of duplicates. The user has successfully doubled their salary. This attack is known as HTTP Parameter Pollution.

So if you're inserting a parameter into a URL which is then inserted into an HTML document, you technically need to URL encode the parameter, then HTML encode the whole URL. However, if you follow the OWASP recommendation to the letter:

Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the %HH escaping format.

then this will ensure no characters with special meaning to HTML will be output, therefore you can skip the HTML encoding part, making it simpler.

Community
  • 1
  • 1
SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
0

Example - If user input is allowed to build a relative link (to http://server.com/), and javascript:alert(1) is provided by the user.

URL-encoding: <a href="javascript%3Aalert%281%29"> - Link will lead to http://server.com/javascript%3Aalert%281%29

Entity-encoding only: <a href="javascript&colon;alert;&lpar;1&rpar;"> - Click leads to javascript execution

Markus Johansson
  • 16
  • 1