sander/notes
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update sectraining.md

Browse source
This commit is contained in:
Sander Hautvast 2024-02-05 10:26:23 +01:00 committed by GitHub
parent dd433c4522
commit 314e0ae434
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 9 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
sectraining.md
View file

@ -17,3 +17,12 @@ To prevent non-HTML HTTP responses from embedding data, that might be dangerousl
#### Modern Frameworks #### Modern Frameworks
JavaScript frameworks (e.g., Angular, React) or server-side templating systems (e.g., Go Templates) have robust built-in protections against Reflected Cross-Site Scripting. JavaScript frameworks (e.g., Angular, React) or server-side templating systems (e.g., Go Templates) have robust built-in protections against Reflected Cross-Site Scripting.
#### Java
HTML Body <div>USER-CONTROLLED-DATA</div> `Encode.forHtml`
HTML Attribute <input type="text" value="USER-CONTROLLED-DATA"> `Encode.forHtmlAttribute`
URL Parameter <a href="/search?value=USER-CONTROLLED-DATA">Search</a> `Encode.forUriComponent`
CSS String <div style="width: USER-CONTROLLED-DATA;">Selection</div> `Encode.forCssString`
CSS URL <div style="background: USER-CONTROLLED-DATA "> `Encode.forCssUrl`
JavaScript Block <script>alert("USER-CONTROLLED-DATA")</script> `Encode.forJavaScriptBlock`
JavaScript Variable <button onclick="alert('USER-CONTROLLED-DATA');">click me</button> `Encode.forJavaScriptVariable`