Skip to content

Latest commit

 

History

History
63 lines (46 loc) · 2.92 KB

File metadata and controls

63 lines (46 loc) · 2.92 KB
title layout tags contributors document order permalink
Encode and Escape Data Checklist
col-document
OWASP Developer Guide
Jon Gadsden, Andreas Happe
OWASP Developer Guide
6240
/release/design/web_app_checklist/encode_escape_data/

{% include breadcrumb.html %}

4.2.4 Checklist: Encode and Escape Data

Encoding and escaping of output data are defensive techniques meant to stop injection attacks on a target system or application which is receiving the output data.

The target system may be another software component or it may be reflected back to the initial system, such as operating system commands, so encoding and escaping output data helps to provide defense in depth for the system as a whole.

Refer to proactive control C3: Validate all Input & Handle Exceptions and its cheatsheets for more context from the OWASP Top 10 Proactive Controls project, and use the list below as suggestions for a checklist that has been tailored for the individual project.

1. Character encoding and canonicalization

  1. Apply output encoding just before the content is passed to the target system
  2. Conduct all output encoding on a trusted system
  3. Utilize a standard, tested routine for each type of outbound encoding
  4. Specify character sets, such as UTF-8, for all outputs
  5. Apply canonicalization to convert unicode data into a standard form
  6. Ensure the output encoding is safe for all target systems
  7. In particular sanitize all output used for operating system commands

2. Contextual output encoding

Contextual output encoding of data is based on how it will be utilized by the target. The specific methods vary depending on the way the output data is used, such as HTML entity encoding.

  1. Contextually encode all data returned to the client from untrusted sources
  2. Contextually encode all output of untrusted data to queries for SQL, XML, and LDAP

References


The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.