Output Encoding
Last updated
Last updated
This section contains recommendations for implementing output encoding.
In many scenarios, an application displays data that was gathered from untrusted sources such as user input. This can lead to vulnerabilities that an attacker leverage to perform attacks such as Cross-Site Scripting. To mitigate such security issues untrusted output must be encoded properly depending on the context it is being used.
Perform comprehensive input validation for each request, see the Input Validation page.
Perform output encoding according to the context of any untrusted data before displaying it in a user interface (web browser, mobile app).
For untrusted sources of data that must be encoded, please, see Untrusted Data that must be encoded.
Web browser engines parse content differently for the contexts below. Therefore, different output encoding strategies need to be used for each of them.
Do not display untrusted data within dangerous contexts, see Dangerous Contexts.
Use your framework's default output encoding or use a well-vetted output encoding library for each context.
HTML Context is when untrusted data is displayed between two HTML tags such as <div> or <p>. For example:
All untrusted data that is going to be displayed within an HTML context, must encode all non-alphanumeric characters with their HTML entity before printing. For example:
"
"
Double quotation mark
&
&
Ampersand character
'
'
Single quotation mark (apostrophe)
/
/
Slash character
<
<
Less than
>
>
Greater than
Use your framework's default HTML output encoding or use a well-vetted HTML output encoding library.
HTML Attribute Context is when untrusted data is displayed within an HTML attribute value such as <div> or <p>. For example:
Close all HTML attributes with quotation marks such as ' or ".
Do not use not-safe HTML attributes with untrusted data even after output escaping.
All untrusted data that is going to be displayed within an HTML attribute context, must encode all non-alphanumeric characters with their HTML entity before printing. For example:
"
"
Double quotation mark
&
&
Ampersand character
'
'
Single quotation mark (apostrophe)
<
<
This encoding is used to avoid an input sequence </ from prematurely terminating a </script> block
Use your framework's default HTML attribute output encoding or use a well-vetted HTML attribute output encoding library.
JavaScript Context is when untrusted data is displayed within JavaScript. For example:
Display untrusted data only within quoted locations.
Do not display untrusted data within dangerous JavaScript contexts.
Callback functions.
JavaScript event handlers: onclick(), onerror(), onmouseover().
JavaScript functions that parse and execute JavaScript code: eval(), setInterval(), setTimeout().
All untrusted data that is going to be displayed within a JavaScript context, must encode all non-alphanumeric characters with their respective hexadecimal notation \xHH. For example:
"
\x22;
Double quotation mark
&
\x26;
Ampersand character
'
\x27;
Single quotation mark (apostrophe)
/
\x2F;
Slash character
\
\x5C;
Backslash character
Use your framework's default JavaScript output encoding or use a well-vetted JavaScript output encoding library.
CSS Context is when untrusted data is displayed within CSS. For example:
Display untrusted data only on CSS property values. Other CSS contexts are unsafe.
All untrusted data that is going to be displayed within a CSS context, must encode all non-alphanumeric characters in their respective hexadecimal notation \xHH. For example:
"
\x22;
Double quotation mark
&
\x26;
Ampersand character
'
\x27;
Single quotation mark (apostrophe)
/
\x2F;
Slash character
\
\x5C;
Backslash character
Do not use expression() function within a CSS property value. In addition, use input validation to ensure that untrusted data displayed in CSS property value does not contain the expression() function.
Do not use JavaScript URI scheme javascript: within CSS URL context. In addition, use input validation to ensure that untrusted data displayed in CSS URL context does not contain the javascript: URL scheme.
Use your framework's default CSS output encoding or use a well-vetted CSS output encoding library.
URL Context is when untrusted data is displayed within an URL. For example:
Encode all non-alphanumeric characters with their percentage-encoding hexadecimal representation %xx. For example:
"
%22;
Double quotation mark
&
%26;
Ampersand character
'
%27;
Single quotation mark (apostrophe)
/
%2F;
Slash character
\
%5C;
Backslash character
After URL context encoding, perform HTML Context, HTML Attribute Context, JavaScript Context or CSS Context, depending the context where the URL is being used.
Do not display untrusted data within the javascript: URL scheme in URL context. In addition, use input validation to ensure that untrusted data displayed in URL context does not contain the javascript: URL scheme.
Use your framework's default URL output encoding or use a well-vetted URL output encoding library.
The following locations are known as dangerous contexts even after performing output encoding, therefore, displaying untrusted data on them must be avoided.
Do not display untrusted data within a script tag.
Do not display untrusted data within HTML comments.
Do not display untrusted data directly in CSS.
Do not display untrusted data to define an HTML attribute name.
Do not display untrusted data to define an HTML tag name.
Perform output encoding for all user-controlled data that is displayed within any of the above contexts and are passed in:
Query parameters or URL/GET parameters.
HTTP headers.
Cookies.
HTTP body.
You can use the html/template package to perform output encoding safely in Go. html/template performs contextual escaping, so actions can appear within JavaScript, CSS, and URI contexts.
See html/template documentation for more detailed use.
