22 lines
1.1 KiB
Plaintext
22 lines
1.1 KiB
Plaintext
=== on 5 Feb 2015, 20:08:00 Ann Campbell wrote:
|
|
In the WebGoat project, one of the exercises is to inject a script into a value that's then stored in the database, and the point of the lesson is to escape outgoing values.
|
|
|
|
|
|
Also: \https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
|
|
|
|
|
|
This rule may need a sort of whitelist parameter: i.e. ignore values that have been passed through x method.
|
|
|
|
=== on 5 Feb 2015, 20:22:09 Ann Campbell wrote:
|
|
We may also need to narrow the scope of this some. Perhaps to values retrieved from external sources, e.g. file, database, etc...?
|
|
|
|
=== on 20 Jul 2015, 07:40:30 Ann Campbell wrote:
|
|
Tagged java-top by Ann
|
|
|
|
=== on 21 Sep 2015, 09:57:21 Ann Campbell wrote:
|
|
\[~michael.gumowski] I've updated this rule mostly as discussed, but added another source of data to check: parameters
|
|
|
|
=== on 23 Sep 2019, 17:43:18 Alexandre Gigleux wrote:
|
|
This rule is corresponding to Stored XSS. I'm closing it for now as it will be covered by a more generic RSPEC similarly to what we did for Reflected XSS (RSPEC-5131).
|
|
|