Cross site scripting (requiring unencoded tag delimiter)
Description
Cross-Site Scripting (XSS) is a client-side code injection vulnerability that allows attackers to inject malicious scripts into trusted web applications. This occurs when user-supplied input is included in web page output without proper validation or encoding. This particular variant has reduced severity because it requires the victim to use a browser or client that does not automatically encode HTML tag delimiters (< and >) within URL query strings, making exploitation significantly more difficult in modern browsers.
Remediation
Implement context-aware output encoding for all user-controlled data rendered in web pages. Apply the following measures:
1. HTML Context Encoding: Encode special characters (<, >, &, ", ') when inserting user input into HTML content.
// Example (Java) String safe = StringEscapeUtils.escapeHtml4(userInput); // Example (JavaScript) const safe = document.createTextNode(userInput); // Example (PHP) echo htmlspecialchars($userInput, ENT_QUOTES, 'UTF-8');
2. JavaScript Context Encoding: Use JavaScript-specific encoding when inserting data into script blocks.
3. URL Context Encoding: Apply URL encoding when inserting user data into URLs or query parameters.
4. Input Validation: Validate and sanitize user input on the server side using allowlists for expected formats and values.
5. Content Security Policy (CSP): Implement a strict CSP header to prevent inline script execution and restrict script sources.
Content-Security-Policy: default-src 'self'; script-src 'self'
6. Use Security Libraries: Leverage established frameworks and libraries (OWASP Java Encoder, DOMPurify, etc.) rather than implementing custom encoding functions.