What is the meaning of context in the passage below?
The first rule is to deny all - don't put untrusted data into your HTML document unless it is within one of the slots defined in Rule #1 through Rule #5. The reason for Rule #0 is that there are so many strange contexts within HTML that the list of encoding rules gets very complicated. We can't think of any good reason to put untrusted data in these contexts. This includes "nested contexts" like a URL inside a JavaScript -- the encoding rules for those locations are tricky and dangerous.
If you insist on putting untrusted data into nested contexts, please do a lot of cross-browser testing and let us know what you find out.
This passage is taken from Cross Site Scripting Prevention - OWASP Cheat Sheet Series.At there,you can find rule #0 through rule #5.
CodePudding user response:
"Contexts" here refers to basically places where text can go in an HTML document. The OWASP XSS Prevention guide you're referencing aims to educate developers on how to safely place untrusted data in HTML.
Because HTML can do a lot of different stuff, it's important to understand exactly where your untrusted data is going so you can understand the risks and specific mitigation strategies.
The link you provided identifies several contexts:
<script>...NEVER PUT UNTRUSTED DATA HERE...</script>
Inside an HTML comment:
<!--...NEVER PUT UNTRUSTED DATA HERE...-->
In an attribute name:
<div ...NEVER PUT UNTRUSTED DATA HERE...=test />
In a tag name:
<NEVER PUT UNTRUSTED DATA HERE... href="/test" />
Directly in CSS:
<style>
...NEVER PUT UNTRUSTED DATA HERE...
</style>
A context is exactly what it sounds like, the context of the untrusted data. The rules for escaping untrusted data, say inside a <script>
tag is completely different from safely escaping untrusted data that will go into an html attribute <a href="some-untrusted-data-here">...</a>