This is client-side code to escape untrusted data before it becomes exponentially more important.
Proper contextual output encoding is the primary and most effective way to combat Cross-Site Scripting (XSS) attacks.
It is important to use the escaping rules of the current context to not allow an attacker to break out of that context.
The reason that output encoding is so important is because HTML, by nature, mixes code and data; thus an attacker can disguise code as data and that code can be executed unintentionally by other users.
By encoding untrusted data in the correct context while dynamically building portions of the DOM or writing out JavaScript, developers can effectively mitigate DOM-Based XSS attacks.
Client side contextual encoding has responsibilities to those who load data from 3rd party services and display that data on their page.
The client has no control over the integrity of the data being sent to them in most cases, so it is important than when rendering data from an untrusted source, such as a public webservice, that the developer be able to encode that untrusted data for use in the correct context.
What is new in this release:
- Initial release.
Requirements:
- JavaScript enabled on client side
- jQuery
Comments not found