MID-071: Sanitized and Escaped User Data for Web Applications
Mitigation Tier: Foundational
Description
Web applications should encode all outputs of user data, put safety controls around all inputs, and store variables in safe attributes. Encoding outputs ensures that all outputted variables on the web application are converted into text before displaying. Encoded or escaped text will not execute on the user’s browser, making the variables safe for display. For example, putting quotes around variables, using escape sequences, using encoding formats for special characters like single or double quotes, and putting displayed variables in safe HTML or CSS structures can all help to prevent code execution upon output. These controls should be used when the user has the ability to edit any HTML on the webpage.
Potential ways to sanitize HTML input include using the JavaScript DOMPurify.sanitize() function and storing variables in safe structures or “safe sinks”. Safe sinks are HTML structures that will always treat the stored variable as text and therefore will never execute it.
Note: It is best to use web application frameworks that have this functionality already built-in and have been well tested and are widely used.
IEC 62443 4-2 Mappings
- CR 3.5 – Input validation
References
[1] OWASP. “Cross Site Scripting Prevention Cheat Sheet.” owasp.org. Accessed: Aug. 28, 2024. [Online.] Available: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
[2] OWASP. “Input Validation Cheat Sheet.” owasp.org. Accessed: Aug. 28, 2024. [Online.] Available: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html