Hi,
We are trying to implement security in our application, wherein we need to encode and decode the user inputs.
So can anybody please provide me a list of all the characters that are disallowed or dangerous, that I need to encode?
For eg. for "<" character we use <, for ">" character we use >
so can anybody please tell me if the following mentioned characters are XSS vulnerable, and if yes, then how to encode them?
1) ! - exclamation mark - characters for additional command execution
2) - hyphen - can be used in database queries, and the creation of negative numbers.
3) /\ = The forward-slash and back-slash are often used for faking paths and queries
4) { } [ ] = Curly brackets and square brackets are often used as script, program or regex expressions.
5) *(asterisk) = Often used in database queries for “all”.
eg. <script>x=""*alert(1)*"";y=42;</script>
6) `(Grave accent) = If you need to use both double and single quotes you can use a grave accent(`) to encapsulate the JavaScript
string - this is also useful because lots of cross site scripting filters don't know about grave accents.
7) / (division or forward slash) -
<script>x=""/alert(1)/"";y=42;</script>
8) Bitwise “xor” operator: (^)
<script>x=""^alert(1)^"";y=42;</script>
9) Bitwise Left Shift (<<)
<script>x=""<<alert(1)<<"";y=42;</script>
10) Bitwise Right Shift (>>)
<script>x="">>alert(1)>>"";y=42;</script>
11) Bitwise Right Shift With Zeros
<script>x="">>>alert(1)>>>"";y=42;</script>
12) Ternary Conditional Expression
<script>x=""?alert(1):"";y=42;</script>
Please let me know if I need to encode these characters too. I am using
Java for development.
Thanks