49 lines
976 B
Plaintext
49 lines
976 B
Plaintext
In cross-site scripting attacks, attackers insert attack scripts into your pages. Because no system is fool-proof, it may not be enough to screen the data that's submitted to an application. You should also escape any content sent to the user so that any malicious code that may have escaped your input screening is neutralized. Specifically, the characters crucial to forming HTML must be escaped:
|
|
|
|
|
|
||turn||into||
|
|
|
|
|&|&|
|
|
|
|
|<|&lt;|
|
|
|
|
|>|&gt;|
|
|
|
|
|"|&quot;|
|
|
|
|
|'|&#x27;|
|
|
|
|
|/|&#x2F;|
|
|
|
|
|
|
This rule raises an issue for anything sent to ``++WEB++``.
|
|
|
|
== Noncompliant Code Example
|
|
|
|
[source,cobol]
|
|
----
|
|
...
|
|
EXEC SQL
|
|
SELECT NAME
|
|
INTO :PNAME
|
|
FROM PRODUCT
|
|
WHERE ID = :PRODUCT_ID
|
|
END-EXEC.
|
|
|
|
EXEC CICS
|
|
WEB SEND *> Noncompliant
|
|
FROM(PNAME)
|
|
*> ...
|
|
END-EXEC.
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|