HTML Encoding

HTML encoding can help us defend against XSS attacks. Let's see how.

We'll cover the following...

Now let’s consider how we can defend against this. A frequently suggested defense that doesn’t work is to strip out < and > characters. One problem with this defense is that sometimes people need to discuss dangerous inputs. Readers of this course, for example, may want to discuss XSS payloads on a web-based forum. Attempts to strip out < and > would stop these conversations. Also, we’ll see that not every XSS attack needs < or >.

HTML encoding

Before we look at its application for defense, let’s take a look at how HTML encoding works. In the previous paragraph, we touched on an interesting problem in HTML. We use < and > to ...