Log in

Escaping

Output escaping, also known as output encoding, is a technique used to ensure that characters are treated as data, not as characters that are relevant to the interpreter's parser. There are lots of different types of escaping, sometimes confusingly called output "encoding." Some of these techniques define a special "escape" character, and other techniques have a more sophisticated syntax that involves several characters.

Do not confuse output escaping with the notion of Unicode character encoding, which involves mapping a Unicode character to a sequence of bits. This level of encoding is automatically decoded, and does not defuse attacks. However, if there are misunderstandings about the intended charset between the server and browser, it may cause unintended characters to be communicated, possibly enabling XSS attacks. This is why it is still important to specify the Unicode character encoding (charset), such as UTF-8, for all communications.

Escaping is the primary means to make sure that untrusted data can't be used to convey an injection attack. There is no harm in escaping data properly - it will still render in the browser or go through your SQL engine properly. Escaping simply lets the interpreter know that the data is not intended to be executed, and therefore prevents attacks from working.

Interpreters In Your Web Stack

SQL

If you write raw SQL queries instead of using a programmatic interface, you are easily susceptible to injection attacks.

query = "SELECT * FROM 'Users' WHERE 'username'='%s'" % username

Imagine that in the above code segment, username = "' OR 1=1--"

When the string is interpolated, the query becomes:

query = "SELECT * FROM 'Users' WHERE 'username'='' OR 1=1--'"

Such a query will select all users when the intent was to only select one.

HTML
Javascript

Escaping for Javascript describes the necessary escaping that must be done to include user-supplied data in a Javascript "data value."

LDAP

If you authenticate users using a service such as LDAP where a request string is built using user-supplied data, you are at risk for injection.

  • Version: latest
  • Edited by Ned Batchelder on 7/20/10 2:29 PM
  • History
  • Edit

An OWASP project created by Craig Younkins

Powered by Moe and Google App Engine