HTML encoding enables web applications to safely return typically unsafe characters. For instance, the following special characters can be encoded into their respective safe counterparts:
|
Special Character |
HTML Entity |
|
< |
< |
|
> |
> |
|
“ |
" |
|
& |
& |
|
‘ |
' |
This generates output that can be displayed safely. Subsequently, we can utilize JavaScript on the client side to safely convert the HTML entities back into their original values.
The web server can enhance security by controlling the types of JavaScript allowed through a strict Content Security Policy (CSP), which lists approved JavaScript sources and often blocks inline scripts. CSP also enables reporting of violations to a server-provided URL, aiding in attack detection.
Numerous web application scanners are available to identify vulnerabilities like SQL Injection and XSS. Unlike network vulnerability scanners, web application scanners often rely on heuristics rather than predefined signatures. They are particularly valuable when integrated into development processes such as Continuous Integration (CI) and Continuous Delivery (CD).