i preventing application cross site scripting defect. have done validation part fields present in application, don't know how prevent defect if injects code in url, please me how rid of defect. eg: script:
javascript:alert(document.cookie) like if inject above code in url can username , session id after logout.
please suggest me solution.
html decoding/encoding cant in this, tested on of web application (like atlassian jira, slack) allowing , being printed in html page. tag work following cases: if being printed in href attribute-
<a href="javascript:alert(document.cookie)">test</a>in onclick attribute
<a href=# onclick="javascript:alert(document.cookie)" >test</a>so make sure not printing directly in href or onclick attribute, if doing add filter there can manually detect javascript or dont forgot append http:// before link.
Comments
Post a Comment