Update 3-knowledge_base--XSS_injection--.md

blabla1337 · Mar 7, 2019 · 9776ab6 · 9776ab6
1 parent da8a4b3
commit 9776ab6
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/skf/markdown/knowledge_base/3-knowledge_base--XSS_injection--.md b/skf/markdown/knowledge_base/3-knowledge_base--XSS_injection--.md
@@ -5,7 +5,12 @@ this data in the application background, these parameters should be escaped for
 code in order to prevent cross-site scripting injections.
 When an attacker gains the possibility to perform an XSS injection,
 he is given the opportunity to inject HTML and JavaScript code directly into the
-application. This could lead to accounts being compromised by stealing session cookies or directly affect the operation of the target application. 
+application. This could lead to accounts being compromised by stealing session cookies or directly 
+affect the operation of the target application. 
+
+Altough templating engines(razor, twig, jinja, etc) and context-aware applications(Angular, React, etc)
+do a lot of auto escaping for you. These frameworks should always be validated for effectiveness.
+
 
 ## Solution:
 
@@ -23,9 +28,10 @@ your html with encoding libraries specially designed for this purpose.
 You should take into consideration that there are several contexts for encoding user-input for
 escaping XSS injections. These contexts are amongst others:
 
-HTML encoding is for whenever your user-input is displayed directly into your HTML.
-HTML attribute encoding is the type of encoding/escaping that should be applied whenever your user input is displayed into the attribute of your HTML tags.
-HTML URL encoding ;This type of encoding/escaping should be applied to whenever you are using user-input into a HREF tag.
+* HTML encoding, is for whenever your user-input is displayed directly into your HTML.
+* HTML attribute encoding, is the type of encoding/escaping that should be applied 
+  whenever your user input is displayed into the attribute of your HTML tags.
+* HTML URL encoding, this type of encoding/escaping should be applied to whenever you are using user-input into a HREF tag.
 
 JavaScript encoding should be used whenever parameters are rendered via JavaScript; your application will detect normal injections in the first instant. But your application still remains vulnerable to JavaScript encoding which will not be detected by the normal encoding/escaping methods.