OWASP XSS Prevention Cheat Sheet

The rules of the OWASP Cross Site Scripting (XSS) Prevention Cheat Sheet

  • Deny all untrusted data and don’t put it directly into the HTML or into any other context (like JavaScript, CSS, attribute contexts)
  • HTML escape untrusted content from the user
    Attribute escape untrusted data before putting it into HTML tag attributes (escape quotes)
  • Escape JavaScript before putting untrusted data into a JavaScript context, see also the escape_javascript Rails method
  • Escape HTML entities in JSON strings, see the json_escape Rails method
  • Escape untrusted data in a CSS context and validate it, see also the sanitize_css() method in Rails
  • URL encode untrusted data in URLs
  • HTML sanitize untrusted input, see the sanitize() Rails method in the latest version (but watch out in earlier version of Rails)